Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Distrust SHA-1 certificates #21

Closed
kelunik opened this issue Nov 24, 2016 · 2 comments
Closed

Distrust SHA-1 certificates #21

kelunik opened this issue Nov 24, 2016 · 2 comments

Comments

@kelunik
Copy link
Member

kelunik commented Nov 24, 2016

NIST recommends that SHA-1 should no longer be used for digital signatures. As of 2016-01-01, the CA/B Forum forbids issuing new SHA-1 certificates. The CA/B has advised CAs starting 2015-01-16 to issue no SHA-1 certificates with an expiration date greater than 2017-01-01, as browsers had already announced to deprecate and remove SHA-1. Starting with Java 9, Java will also no longer accept SHA-1 starting 2017-01-01 by default.

I think PHP doesn't provide a mechanism for that yet, at least I couldn't find anything in the options. Therefore we probably have to capture the certificate and chain and check it ourselves. I'm looking forward to adding such a possibility to PHP 7.2 and defaulting to not accept SHA-1 there, too.
@kelunik
Copy link
Member Author

kelunik commented Nov 25, 2016

See also: https://wiki.php.net/rfc/distrust-sha1-certificates

@kelunik
Copy link
Member Author

kelunik commented Jul 3, 2017

#31 is a possible implementation.

@kelunik kelunik changed the title Distrust SHA-1 certificates as of 2017 Distrust SHA-1 certificates Sep 3, 2017
@kelunik kelunik closed this as completed in 7c2ba04 Nov 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kelunik