This is an old revision of the document!
PHP RFC: Improved SSL / TLS constants
- Version: 0.1.1
- Date: 2017-05-15
- Author: Niklas Keller, me@kelunik.com
- Status: Under Discussion
- First Published at: http://wiki.php.net/rfc/improved-tls-constants
Introduction
This RFC proposes to change PHP's TLS constants to sane values. This change has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This RFCs favors better security instead of backwards compatibility with version intolerant and out of date servers.
Proposal
- Make
tls://
default to TLSv1.0 + TLSv1.1 + TLSv1.2 - Make
ssl://
an alias oftls://
- Make
STREAM_CRYPTO_METHOD_TLS_*
constants default to TLSv1.0 + TLSv1.1 + TLSv1.2 instead of TLSv1.0 only
STREAM_CRYPTO_METHOD_TLS_*
will be changed in the future when newer versions of TLS are available without going through the RFC process.
Backward Incompatible Changes
This might break connection attempts to TLS servers with only TLS 1.0 enabled and that are version intolerant at the same time. This also breaks ssl://
wrapper connections if only SSL is supported by the remote host, but no TLS. While strongly discouraged, an explicit context option passing STREAM_CRYPTO_METHOD_SSLv2_* | STREAM_CRYPTO_METHOD_SSLv3_* | STREAM_CRYPTO_METHOD_TLS
can be used to restore the old behavior.
Proposed PHP Version(s)
This change will be merged into 7.2 if accepted.
Future Scope
In the future STREAM_CRYPTO_METHOD_SSLv23_CLIENT
should be deprecated and SSL support completely removed.
Proposed Voting Choices
This will be a simple 50%+1 vote with yes and no options.