rfc:improved-tls-defaults

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:improved-tls-defaults [2014/02/12 16:09] – Update examples rdlowreyrfc:improved-tls-defaults [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 1: Line 1:
  
 ====== Improved TLS Defaults ====== ====== Improved TLS Defaults ======
-  * Version: 0.10+  * Version: 0.11
   * Date: 2014-01-28   * Date: 2014-01-28
   * Author: Daniel Lowrey, rdlowrey@php.net   * Author: Daniel Lowrey, rdlowrey@php.net
-  * Status: Vote+  * Status: Implemented
   * First Published at: http://wiki.php.net/rfc/improved-tls-defaults   * First Published at: http://wiki.php.net/rfc/improved-tls-defaults
-  * Minor Revision (v0.1 → v0.2): 2014-01-28 
-  * Major Revision (v0.2 → v0.3): 2014-01-29 
-  * Minor Revision (v0.3 → v0.4): 2014-01-30 
-  * Minor Revision (v0.4 → v0.5): 2014-01-30 
-  * Major Revision (v0.5 → v0.6): 2014-02-01 
-  * Minor Revision (v0.6 → v0.7): 2014-02-02 
-  * Minor Revision (v0.7 → v0.8): 2014-02-03 
-  * Minor Revision (v0.8 → v0.9): 2014-02-06 
-  * Minor Revision (v0.9 → v0.10): 2014-02-11 
  
 ===== Introduction ===== ===== Introduction =====
Line 45: Line 36:
   * [[https://wiki.php.net/rfc/improved-tls-defaults#honor_cipher_order|Create "honor_cipher_order" context option]]   * [[https://wiki.php.net/rfc/improved-tls-defaults#honor_cipher_order|Create "honor_cipher_order" context option]]
   * [[https://wiki.php.net/rfc/improved-tls-defaults#expose_negotiated_values|Expose negotiated values]]   * [[https://wiki.php.net/rfc/improved-tls-defaults#expose_negotiated_values|Expose negotiated values]]
-  * [[https://wiki.php.net/rfc/improved-tls-defaults#forward_secrecy_for_servers|Forward secrecy for servers]]+  * [[https://wiki.php.net/rfc/improved-tls-defaults#server_forward_secrecy|Server forward secrecy]]
   * [[https://wiki.php.net/rfc/improved-tls-defaults#expose_default_cert_paths|Expose default cert paths]]   * [[https://wiki.php.net/rfc/improved-tls-defaults#expose_default_cert_paths|Expose default cert paths]]
-  * [[https://wiki.php.net/rfc/improved-tls-defaults#stream_wrapper_creep|Deprecate superfluous stream wrappers and allow protocol flags]]+  * [[https://wiki.php.net/rfc/improved-tls-defaults#stream_wrapper_creep|Allow fine-grained protocol selection flags]]
  
 ===== Default Ciphers ===== ===== Default Ciphers =====
Line 75: Line 66:
 ''!ADH'' ''!ADH''
  
-  * Anonymous Diffie-Hellman ciphers disallowed as per [[http://www.ietf.org/rfc/rfc2246.txt|RFC2246 Section A.5]]+  * Anonymous Diffie-Hellman ciphers disallowed as per [[http://tools.ietf.org/html/rfc2246#appendix-A.5|RFC2246 Section A.5]]
  
 ''!RC4'' ''!RC4''
Line 193: Line 184:
 Users may wish to access information regarding the negotiated protocol and/or cipher for a given Users may wish to access information regarding the negotiated protocol and/or cipher for a given
 encrypted session. The ''stream_get_meta_data()'' wrapper_data abstraction is avoided here to prevent encrypted session. The ''stream_get_meta_data()'' wrapper_data abstraction is avoided here to prevent
-conflicts with other wrappers (I'm looking at you, ''http'' wrapper). The context option approach +conflicts with other wrappers. The context option approach also remains consistent with the existing 
-also remains consistent with the existing ''capture_peer_cert'' and ''capture_peer_cert_chain'' boolean +''capture_peer_cert'' and ''capture_peer_cert_chain'' boolean context abstractions. When the new 
-context abstractions. When the new context option is truthy the ''['ssl']['session_meta']'' context +context option is truthy the ''['ssl']['session_meta']'' context option is populated with an 
-option is populated with an informational array as shown here:+informational array as shown here:
  
 **Example** **Example**
Line 224: Line 215:
 </code> </code>
  
-===== Forward Secrecy for Servers =====+===== Server Forward Secrecy =====
  
 **Proposal** **Proposal**
  
-Encrypted client streams already support [[http://en.wikipedia.org/wiki/Forward_secrecy|forward secrecy]] +Encrypted client streams already fully support [[http://en.wikipedia.org/wiki/Forward_secrecy|forward secrecy]] 
-as this functionality is largely implemented server-side. However, the patch proposed here makes it possible for +(PFS) as this functionality is largely implemented server-side. Servers currenty have some limited 
-encrypted PHP stream //servers// to also achieve (perfect) forward secrecy when negotiating cipher +support for PFS, however, the proposed patch adds several new context options for fine-grained control 
-suites that utilize ephemeral key agreements.+in servers negotiating cipher suites that utilize ephemeral key agreements
 + 
 +//NOTE:// Servers deploying certificates capable of PFS aren't required to take any additional action 
 +to achieve forward secrecy. The proposed context options simply allow fine-grained configuration and 
 +broader potential FS support/compatibility for older clients.
  
 **New Context Options** **New Context Options**
Line 291: Line 286:
 // to enable crypto in a non-blocking way ... // to enable crypto in a non-blocking way ...
  
-stream_socket_enable_crypto($client, $enable = TRUE, STREAM_CRYPTO_SERVER);+stream_socket_enable_crypto($client, $enable = TRUE, STREAM_CRYPTO_METHOD_ANY_SERVER);
  
 ?> ?>
Line 386: Line 381:
  
   * Internally re-value the existing ''STREAM_CRYPTO_METHOD_*'' constants to allow the assignment of crypto methods using bitwise flags instead of values. Users may specify any combination of these constants to control the allowed protocols for a given client or server stream. Meanwhile, the ''"crypto_method"'' context option already included as part of 5.6 allows all code to specify exactly which methods are appropriate for a given operation.   * Internally re-value the existing ''STREAM_CRYPTO_METHOD_*'' constants to allow the assignment of crypto methods using bitwise flags instead of values. Users may specify any combination of these constants to control the allowed protocols for a given client or server stream. Meanwhile, the ''"crypto_method"'' context option already included as part of 5.6 allows all code to specify exactly which methods are appropriate for a given operation.
-  * Remove the new stream wrappers previously merged for inclusion in 5.6: +  * New ''tlsv1.0'' wrapper to represent the OpenSSL ''TLSv1_server_method()'' and ''TLSv1_client_method()'' API 
-        * ''tlsv1.1'' +  * Repurpose the ''tls'' wrapper to mean "Any TLS protocol (1, 1.1, 1.2)" instead of "only TLSv1"
-        * ''tlsv1.2'' +
-  * Deprecate the following stream wrappers in PHP 5.6 with removal (tentativelyscheduled for PHP 6: +
-        * ''sslv2'' +
-        * ''sslv3'' +
- +
-**Logic** +
- +
-The main reason for reshuffling the stream wrappers is simplicity. Most users are unlikely to know +
-the difference between the various protocols much less which they should use. It's not difficult to +
-imagine a scenario in which a user reasons, //"If SSL is safe, SSLv2 and SSLv3 must be REALLY safe. +
-I should use those."// Such users are likely to have no idea what "tls" means and forego it completely +
-despite its standing as the most secure option. +
- +
-So the overarching goal in this change is two-fold: +
- +
-  * Keep users safe by default without preventing them from doing insecure things if they need to do so; +
-  * Eliminate the confusion of having many different wrappers for encrypted streams. By deprecating the superfluous stream wrappers we //simplify// the ecosystem at the same time we're actually //adding// new functionality (via customized flag protocol specification). +
- +
-Note again that the protocol-specific stream wrappers //are not// removed. Their use will trigger an +
-''E_DEPRECATED'' warning but they will continue to function as before. +
- +
-Note also that the ''tls'' stream wrapper will now negotiate the best available of the TLS1TLSv1.1 +
-and TLSv1.2 protocols. Because ''ext/openssl'' did not support TLSv1.1 and TLSv1.2 prior to PHP 5.6 +
-this wrapper was previously only able to negotiate TLSv1+
- +
-**BC Implications of Proposed Stream Wrapper Changes** +
- +
-//None.// +
- +
-The only implications for existing code are the ''E_DEPRECATED'' messages for the ''sslv2'' and +
-''sslv3'' stream wrappers. Note that //only// stream wrapper usages trigger deprecation +
-notices. This notice triggering has nothing to do with the underlying protocols; it only occurs when +
-using the wrappers made unnecessary by the introduction of protocol flags. Users are encouraged to +
-specify protocol flags in their stream contexts to avoid these deprecation notices.+
  
 **Existing Constant Re-Valuing** **Existing Constant Re-Valuing**
Line 438: Line 399:
  STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT = (1 << 5 | 1), /* New in 5.6 */  STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT = (1 << 5 | 1), /* New in 5.6 */
  STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1), /* Any TLS protocol */  STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 1), /* Any TLS protocol */
- STREAM_CRYPTO_CLIENT = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5) | 1), /* Any protocol */+ STREAM_CRYPTO_METHOD_ANY_CLIENT = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5) | 1), /* Any protocol */
  STREAM_CRYPTO_METHOD_SSLv2_SERVER = (1 << 1),  STREAM_CRYPTO_METHOD_SSLv2_SERVER = (1 << 1),
  STREAM_CRYPTO_METHOD_SSLv3_SERVER = (1 << 2),  STREAM_CRYPTO_METHOD_SSLv3_SERVER = (1 << 2),
Line 446: Line 407:
  STREAM_CRYPTO_METHOD_TLSv1_2_SERVER = (1 << 5), /* New in 5.6 */  STREAM_CRYPTO_METHOD_TLSv1_2_SERVER = (1 << 5), /* New in 5.6 */
  STREAM_CRYPTO_METHOD_TLS_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)) /* Any TLS protocol */  STREAM_CRYPTO_METHOD_TLS_SERVER = ((1 << 3) | (1 << 4) | (1 << 5)) /* Any TLS protocol */
- STREAM_CRYPTO_SERVER = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5)), /* Any protocol */+ STREAM_CRYPTO_METHOD_ANY_SERVER = ((1 << 1) | (1 << 2) | (1 << 3) | (1 << 4) | (1 << 5)), /* Any protocol */
 } php_stream_xport_crypt_method_t; } php_stream_xport_crypt_method_t;
 </code> </code>
Line 456: Line 417:
 legacy naming convention is a source of constant confusion for users not versed in the inner-workings legacy naming convention is a source of constant confusion for users not versed in the inner-workings
 of OpenSSL. Here we use the more natural connotation and translate ''SSLv23'' for our purposes to of OpenSSL. Here we use the more natural connotation and translate ''SSLv23'' for our purposes to
-mean "either SSLv2 or SSLv3."+mean "either SSLv2 or SSLv3." ''STREAM_CRYPTO_METHOD_ANY_CLIENT'' and ''STREAM_CRYPTO_METHOD_ANY_SERVER'' are added to 
 +represent //"any protocol we can support."//
  
 **Examples** **Examples**
Line 532: Line 494:
 ]]); ]]);
 $sock = stream_socket_client('tls://github.com:443', $errno, $errstr, $timeout, $connFlags, $context); $sock = stream_socket_client('tls://github.com:443', $errno, $errstr, $timeout, $connFlags, $context);
- 
-?> 
-</code> 
- 
-There is no need to use the deprecated wrappers as the ''ssl'' and ''tls'' wrappers automatically negotiates 
-the best available protocol. However, for the sake of completeness, note that the following still 
-works: 
- 
-<code php> 
-<?php 
- 
-$sock = stream_socket_client('sslv3://github.com:443'); // Triggers E_DEPRECATED, still works 
  
 ?> ?>
Line 561: Line 511:
  
 Encrypt an existing stream choosing from any protocol we can possibly support using the new catch-all Encrypt an existing stream choosing from any protocol we can possibly support using the new catch-all
-''STREAM_CRYPTO_CLIENT'' constant. This method will try all possible protocols:+''STREAM_CRYPTO_METHOD_ANY_CLIENT'' constant. This method will try all possible protocols:
  
 <code php> <code php>
Line 568: Line 518:
 $sock = stream_socket_client('tcp://github.com:443'); $sock = stream_socket_client('tcp://github.com:443');
 var_dump($sock); // resource(%d) of type (stream) var_dump($sock); // resource(%d) of type (stream)
-var_dump(stream_socket_enable_crypto($sock, TRUE, STREAM_CRYPTO_CLIENT));+var_dump(stream_socket_enable_crypto($sock, TRUE, STREAM_CRYPTO_METHOD_ANY_CLIENT));
  
 ?> ?>
Line 578: Line 528:
 **Forward Secrecy** **Forward Secrecy**
  
-Encrypted stream servers now support forward secrecy using ephemeral key exchange via RSA, DH //and// +Encrypted stream servers support improved forward secrecy using ephemeral key exchange via RSA, DH 
-elliptic curve DH.+and elliptic curve DH. No additional action is required for servers deploying certificates capable 
 +of ephemeral key exchange; new context options for fine-grained configuration are available.
  
 **Requirements for a secure client transfer prior to PHP 5.6:** **Requirements for a secure client transfer prior to PHP 5.6:**
Line 633: Line 584:
 ===== Removed Features Originally Planned for 5.6 ===== ===== Removed Features Originally Planned for 5.6 =====
  
-The following stream wrappers currently merged into 5.6 are marked for removal in this proposal: +Originally this RFC proposed the deprecation and future remove of the protocol-specific wrappers. 
- +This recommendation was removed to retain the ability for streams without access to a stream context 
-  tlsv1.1 +to interface with protocol-specific clients and serversIn particular, the ''fsockopen'' function 
-  tlsv1.2 +cannot accept a stream context. As a result, removing protocol-specific stream wrappers would render 
- +''fsockopen'' unusable for encrypted transfers with parties not using broadly compatible handshake 
-These wrappers were added for 5.6 prior to the advent of bitwise crypto method specification. The +hello methods.
-direction chosen in this proposal obviates the need for these wrappers which have never +
-been part of an official release. Their removal has no BC implications.+
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
 Most existing code is expected to work without any BC implications. The only source of potential breakage Most existing code is expected to work without any BC implications. The only source of potential breakage
-involves the scenario where users connect to servers employing outdated/insecure encryption technologies. +involves the scenario where users connect to servers employing seriously outdated/insecure encryption 
-For these users the option always exists to manually override secure defaults with insecure settings +technologies. For these users the option always exists to manually override secure defaults with 
-in the stream context.+insecure settings in the stream context.
  
 ===== Proposed PHP Version ===== ===== Proposed PHP Version =====
Line 659: Line 608:
 Provides userland access to the default cipher list used for stream encryption. Provides userland access to the default cipher list used for stream encryption.
  
-''STREAM_CRYPTO_CLIENT''+''STREAM_CRYPTO_METHOD_ANY_CLIENT''
  
 Crypto method interpreted as "any client crypto method we can possibly support." Applications may Crypto method interpreted as "any client crypto method we can possibly support." Applications may
 use this method for maximum compatibility with SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 servers. use this method for maximum compatibility with SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 servers.
  
-''STREAM_CRYPTO_SERVER''+''STREAM_CRYPTO_METHOD_ANY_SERVER''
  
 Crypto method interpreted as "any server crypto method we can possibly support." Applications may Crypto method interpreted as "any server crypto method we can possibly support." Applications may
Line 681: Line 630:
   * Should PHP implement the recommendations in this proposal as part of 5.6?   * Should PHP implement the recommendations in this proposal as part of 5.6?
  
-===== Patches and Tests ===== +https://github.com/php/php-src/pull/593
- +
-The proposed changes and tests are available here: +
- +
-https://github.com/rdlowrey/php-src/compare/php:PHP-5.6...improved-tls-defaults +
- +
-===== Implementation ===== +
- +
-TBD+
  
 ===== Vote ===== ===== Vote =====
Line 699: Line 640:
 of the RFC. They are noted here to avoid confusion. of the RFC. They are noted here to avoid confusion.
  
-<doodle title="Should the proposed TLS changes be merged for 5.6?" auth="rdlowrey" voteType="single" closed="false">+<doodle title="Should the proposed TLS changes be merged for 5.6?" auth="rdlowrey" voteType="single" closed="true">
    * Yes    * Yes
    * No    * No
Line 706: Line 647:
 Thanks for your time :) Thanks for your time :)
  
-===== Rejected Features ===== 
  
-TBD 
  
 +== Revisions ==
  
 +v0.11 Updated constant names, protocol-specific stream wrappers no longer deprecated
  
-== Revisions == +v0.10 Removed default verify depth setting; tls wrapper no longer deprecated
- +
-v0.10 Removed default verify depth setting; tls:// wrapper no longer deprecated+
  
 v0.9  Added server forward secrecy, updated default cipher list v0.9  Added server forward secrecy, updated default cipher list
rfc/improved-tls-defaults.1392221392.txt.gz · Last modified: 2017/09/22 13:28 (external edit)