Skip to content

0.9.6
Compare
Choose a tag to compare
@kelunik kelunik released this 01 Apr 19:08
· 442 commits to 2.x since this release
v0.9.6
This tag was signed with the committer’s verified signature.
kelunik Niklas Keller
GPG key ID: AFA536ABA90C76A6
Learn about vigilant mode.
df744e0
  • Fix crypto stream method for PHP 5.6.6
  • Fix issues with general cafile paths inside PHARs
  • Update certificate bundle for PHP 5.5 legacy crypto support
  • Update default TLS cipher suites

Important Note

We updated the certificate authority bundle in this release, which is used for users of PHP 5.5, because PHP 5.5 doesn't use the system's trust store yet.

With that update, all 1024-bit root certificates have been removed, as they're not secure enough anymore. Issuance from 1024-bit root certificates has been stopped several years ago.

Due to a bug in OpenSSL 1.0.1, certificates with a root, which is signed by another 1024-bit root, will fail to validate as the signing 1024-bit root is not in the trust store.

This affects for example google.com and yahoo.com, which both use cross-signed roots, in case of Google "GeoTrust Global CA", which is cross-signed by "Equifax Secure Certificate Authority", which has been removed.

If you're using PHP 5.6 or higher, PHP is automatically using the system's trust store to validate certificates. Due to root certificate programs like the one from Ubuntu, Ubuntu 12.04 and 14.04 both still trust "Equifax Secure Certificate Authority", so access to google.com and yahoo.com will work there. Your distribution is using insecure root certificates then, putting you at risk. It's something the distributions have to fix.

Assets 2