rfc:improved-tls-constants

PHP RFC: Improved SSL / TLS constants

Introduction

This RFC proposes to change PHP's TLS constants to sane values. This change has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This RFCs favors better security instead of backwards compatibility with version intolerant and out of date servers.

Proposal

  • Make tls:// default to TLSv1.0 + TLSv1.1 + TLSv1.2
  • Make ssl:// an alias of tls://
  • Make STREAM_CRYPTO_METHOD_TLS_* constants default to TLSv1.0 + TLSv1.1 + TLSv1.2 instead of TLSv1.0 only

STREAM_CRYPTO_METHOD_TLS_* will be changed in the future when newer versions of TLS are available without going through the RFC process.

Backward Incompatible Changes

This might break connection attempts to TLS servers with only TLS 1.0 enabled and that are version intolerant at the same time. This also breaks ssl:// wrapper connections if only SSL is supported by the remote host, but no TLS. While strongly discouraged, an explicit context option passing STREAM_CRYPTO_METHOD_SSLv2_* | STREAM_CRYPTO_METHOD_SSLv3_* | STREAM_CRYPTO_METHOD_TLS can be used to restore the old behavior.

Proposed PHP Version(s)

This change will be merged into 7.2 if accepted.

Future Scope

In the future STREAM_CRYPTO_METHOD_SSLv23_CLIENT should be deprecated and SSL support completely removed.

Voting

This is a simple 50%+1 vote with yes and no options. The voting started on 29th of May 2017 and will end on 5th of June 2017.

Improved SSL / TLS constants
Real name Yes No
ashnazg (ashnazg)  
danack (danack)  
daverandom (daverandom)  
dm (dm)  
emir (emir)  
galvao (galvao)  
kelunik (kelunik)  
kguest (kguest)  
nikic (nikic)  
ocramius (ocramius)  
peehaa (peehaa)  
pollita (pollita)  
trowski (trowski)  
zeev (zeev)  
Final result: 14 0
This poll has been closed.

Patches and Tests

References

rfc/improved-tls-constants.txt · Last modified: 2017/09/22 13:28 (external edit)