kelunik

Niklas Keller

Contents

PHP RFC: Improved SSL / TLS constants

Introduction

This RFC proposes to change PHP's TLS constants to sane values. This change has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This RFCs favors better security instead of backwards compatibility with version intolerant and out of date servers.

Proposal

  • Make tls:// default to TLSv1.0 + TLSv1.1 + TLSv1.2
  • Make ssl:// an alias of tls://
  • Make STREAM_CRYPTO_METHOD_TLS_* constants default to TLSv1.0 + TLSv1.1 + TLSv1.2 instead of TLSv1.0 only

STREAM_CRYPTO_METHOD_TLS_* will be changed in the future when newer versions of TLS are available without going through the RFC process.

Backward Incompatible Changes

This might break connection attempts to TLS servers with only TLS 1.0 enabled and that are version intolerant at the same time. This also breaks ssl:// wrapper connections if only SSL is supported by the remote host, but no TLS. While strongly discouraged, an explicit context option passing STREAM_CRYPTO_METHOD_SSLv2_* | STREAM_CRYPTO_METHOD_SSLv3_* | STREAM_CRYPTO_METHOD_TLS can be used to restore the old behavior.

Proposed PHP Version(s)

This change will be merged into 7.2 if accepted.

Future Scope

In the future STREAM_CRYPTO_METHOD_SSLv23_CLIENT should be deprecated and SSL support completely removed.

Patches and Tests

References

Votes

An option needs 50%+1 votes to win

Improved SSL / TLS constants (100% approved)
User Vote
ashnazg Yes
danack Yes
daverandom Yes
dm Yes
emir Yes
galvao Yes
kelunik Yes
kguest Yes
nikic Yes
ocramius Yes
peehaa Yes
pollita Yes
trowski Yes
zeev Yes