php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #76420 tls version change
Submitted: 2018-06-06 13:54 UTC Modified: 2018-08-19 18:10 UTC
From: 24dnlj6zphz at brukerfeil dot eu Assigned: bukka (profile)
Status: Wont fix Package: OpenSSL related
PHP Version: Next Major Version OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-06-06 13:54 UTC] 24dnlj6zphz at brukerfeil dot eu
Description:
------------
TLS-versions prior to TLS 1.2 contain security issues and are deprecated.
All major cloud providers are now also disabling older versions

The default ssl method when not specified by client code in PHP is sslv2/3.
This opens up for security issues and also breaks tls-servers that no longer support old versions.

I suggest changing the default tls version to 1.2.
I have attached a patch, but I'm not 100% sure it is correct.



Patches

patch.diff (last revision 2018-06-06 13:54 UTC) by 24dnlj6zphz at brukerfeil dot eu)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-06 14:13 UTC] 24d3dlct6vz5txut at brukerfeil dot eu
Additional note:

Connecting to a TLS 1.2-only webserver with fsockopen works using URL ssl:// but not tls://


PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version in - on line 3
PHP Warning:  fsockopen(): Failed to enable crypto in - on line 3
 [2018-08-19 18:10 UTC] bukka@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: bukka
 [2018-08-19 18:10 UTC] bukka@php.net
There is already min version set to TLS 1.0 (don't get confused by the sslv2/3 name - it's for all version and minimum is set elsewhere) which will be negotiated if only TLS 1.1 or TLS 1.2 is not available - basically it starts with TLS 1.2, then 1.1 and at last 1.0. This is a sensible default as it still allows communication with older server versions in a secure way but you are free to set your preferred min proto version or just use tlsv1.2 stream if you prefer.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Oct 18 20:01:25 2018 UTC