Remove insecure SSLv3 fallback, use TLS 1.2 if possible #2131
Conversation
|
@kelunik, thanks for your PR! By analyzing the history of the files in this pull request, we identified @splitbrain, @whoopdedo and @Klap-in to be potential reviewers. |
inc/HTTPClient.php
Outdated
| // @link https://bugs.php.net/69195 | ||
| $cryptoMethod = PHP_VERSION_ID >= 50600 && PHP_VERSION_ID <= 50606 | ||
| ? STREAM_CRYPTO_METHOD_TLS_CLIENT | ||
| : STREAM_CRYPTO_METHOD_SSLv23_CLIENT; // actually means neither SSLv2 nor SSLv3 |
There was a problem hiding this comment.
I would prefer to have this in a proper if/then/else structure with parentheses instead of a multi line tertiary operator.
Also according to http://php.net/manual/en/function.stream-socket-enable-crypto.php, the crypto type parameter is optional since 5.6. Would it make sense to omit it completely instead? That way this would be more future proof?
There was a problem hiding this comment.
It's only optional if it's set in the stream context. PHP's defaults are also borked, I fixed that in PHP 7.2.
I don't really care whether it's a tertiary or an if, I'd definitely agree if there were more conditions.
There was a problem hiding this comment.
I see. Can you adjust the syntax? Then I'll push the big green button ;-)
STREAM_CRYPTO_METHOD_TLS_CLIENT is only TLS 1.0 except for PHP 5.6.0-5.6.6 and 7.2.0+.
kelunik
force-pushed
the
http-client-tls
branch
from
9083821
to
f7813a6
Compare
|
thanks! |
STREAM_CRYPTO_METHOD_TLS_CLIENT is only TLS 1.0 except for PHP 5.6.0-5.6.6 and 7.2.0+.