PHP RFC: Improved SSL / TLS constants
- Version: 0.1.1
- Date: 2017-05-15
- Author: Niklas Keller, email@example.com
- Status: Merged to 7.2
- First Published at: http://wiki.php.net/rfc/improved-tls-constants
This RFC proposes to change PHP's TLS constants to sane values. This change has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This RFCs favors better security instead of backwards compatibility with version intolerant and out of date servers.
tls://default to TLSv1.0 + TLSv1.1 + TLSv1.2
ssl://an alias of
STREAM_CRYPTO_METHOD_TLS_*constants default to TLSv1.0 + TLSv1.1 + TLSv1.2 instead of TLSv1.0 only
STREAM_CRYPTO_METHOD_TLS_* will be changed in the future when newer versions of TLS are available without going through the RFC process.
Backward Incompatible Changes
This might break connection attempts to TLS servers with only TLS 1.0 enabled and that are version intolerant at the same time. This also breaks
ssl:// wrapper connections if only SSL is supported by the remote host, but no TLS. While strongly discouraged, an explicit context option passing
STREAM_CRYPTO_METHOD_SSLv2_* | STREAM_CRYPTO_METHOD_SSLv3_* | STREAM_CRYPTO_METHOD_TLS can be used to restore the old behavior.
Proposed PHP Version(s)
This change will be merged into 7.2 if accepted.
In the future
STREAM_CRYPTO_METHOD_SSLv23_CLIENT should be deprecated and SSL support completely removed.
This is a simple 50%+1 vote with yes and no options. The voting started on 29th of May 2017 and will end on 5th of June 2017.