php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #76420 tls version change
Submitted: 2018-06-06 13:54 UTC Modified: 2018-08-19 18:10 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: 24dnlj6zphz at brukerfeil dot eu Assigned: bukka (profile)
Status: Wont fix Package: OpenSSL related
PHP Version: Next Major Version OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2018-06-06 13:54 UTC] 24dnlj6zphz at brukerfeil dot eu 
Description:
------------
TLS-versions prior to TLS 1.2 contain security issues and are deprecated.
All major cloud providers are now also disabling older versions

The default ssl method when not specified by client code in PHP is sslv2/3.
This opens up for security issues and also breaks tls-servers that no longer support old versions.

I suggest changing the default tls version to 1.2.
I have attached a patch, but I'm not 100% sure it is correct.

Patches

patch.diff (last revision 2018-06-06 13:54 UTC by 24dnlj6zphz at brukerfeil dot eu)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-06 14:13 UTC] 24d3dlct6vz5txut at brukerfeil dot eu 
Additional note:

Connecting to a TLS 1.2-only webserver with fsockopen works using URL ssl:// but not tls://


PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version in - on line 3
PHP Warning:  fsockopen(): Failed to enable crypto in - on line 3
 [2018-08-19 18:10 UTC] bukka@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: bukka
 [2018-08-19 18:10 UTC] bukka@php.net 
There is already min version set to TLS 1.0 (don't get confused by the sslv2/3 name - it's for all version and minimum is set elsewhere) which will be negotiated if only TLS 1.1 or TLS 1.2 is not available - basically it starts with TLS 1.2, then 1.1 and at last 1.0. This is a sensible default as it still allows communication with older server versions in a secure way but you are free to set your preferred min proto version or just use tlsv1.2 stream if you prefer.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Feb 10 10:01:30 2025 UTC