MC-34097 Update supported PHP version

src/_includes/install/php-versions-template.md

@@ -2,10 +2,6 @@ Supported PHP versions:
 
 {% for version in supported_php_versions %}
 
-{% if version != '~7.1.3' %}
-
 *  {{ version }}
 
-{% endif %}
-
 {% endfor %}

src/_includes/install/trouble/rc_php-version.md

@@ -3,31 +3,31 @@
 
 You might encounter the following issues with the PHP version readiness check:
 
-*  The check fails because you're using an unsupported PHP version.
+*  The check fails because you are using an unsupported PHP version.
 
 To solve this issue, use one of the supported versions listed in our [System Requirements]({{ page.baseurl }}/install-gde/system-requirements.html).
 
 *  The check reports the incorrect PHP version.
 
 Typically, this happens only to advanced users who have multiple PHP versions installed. In some cases, the readiness check fails; in other cases, it might pass.
 
-*  The PHP readiness check doesn't display the PHP version as the following figure shows.
+*  The PHP readiness check does not display the PHP version as the following figure shows.
 
  ![]({{ site.baseurl }}/common/images/upgr-tshoot-no-cron.png)
 
 This is a symptom of incorrect cron job setup. For more information, see [Set up cron jobs]({{ page.baseurl }}/install-gde/install/post-install-config.html#post-install-cron).
 
 ### PHP version is incorrect
 
-If the PHP version reported by the readiness check is incorrect, it's the result of a mismatch of PHP versions between the PHP CLI and the web server plug-in. Magento requires you to use *one version* of PHP for both the CLI (which runs cron) and the web server (which runs the Magento Admin, Component Manager, and System Upgrade).
+If the PHP version reported by the readiness check is incorrect, it is the result of a mismatch of PHP versions between the PHP CLI and the web server plug-in. Magento requires you to use *one version* of PHP for both the CLI (which runs cron) and the web server (which runs the Magento Admin, Component Manager, and System Upgrade).
 
-We assume that if you have this issue, you're an advanced user who has likely installed multiple versions of PHP on your system.
+We assume that if you have this issue, you are an advanced user who has likely installed multiple versions of PHP on your system.
 
 To resolve the issue, try the following:
 
 *  Restart your web server or php-fm.
 *  Check the `$PATH` environment variable for multiple paths to PHP
-*  Use the `which php` command to locate the first PHP executable in your path; if it's not correct, remove it or create a symlink to the correct PHP version
+*  Use the `which php` command to locate the first PHP executable in your path; if it is not correct, remove it or create a symlink to the correct PHP version
 *  Use a [`phpinfo.php`]({{ page.baseurl }}/install-gde/prereq/optional.html#install-optional-phpinfo) page to collect more information
 *  Make sure you are running a supported PHP version according to our [System Requirements]({{ page.baseurl }}/install-gde/system-requirements.html)
 *  Set the same PHP settings for both the PHP command line and the PHP web server plug-in as discussed in [PHP configuration options]({{ page.baseurl }}/install-gde/prereq/php-settings.html)

src/guides/v2.3/config-guide/secy/hashing.md

@@ -3,7 +3,7 @@ group: configuration-guide
 title: Password hashing
 ---
 
-Currently Magento uses its own strategy for password hashing, based on different native PHP hashing algorithms. Magento supports multiple algorithms like `MD5`, `SHA256`, or `Argon 2ID13`. If the Sodium extension is installed (installed by default in PHP 7.2), then `Argon 2ID13` will be chosen as the default hashing algorithm. Otherwise, `SHA256` will be as default. As Magento still supports PHP 7.1.x, we cannot use the native PHP `password_hash` function with Argon 2i algorithm support, which was added in the PHP 7.2 release.
+Currently Magento uses its own strategy for password hashing, based on different native PHP hashing algorithms. Magento supports multiple algorithms like `MD5`, `SHA256`, or `Argon 2ID13`. If the Sodium extension is installed (installed by default in PHP 7.3), then `Argon 2ID13` will be chosen as the default hashing algorithm. Otherwise, `SHA256` will be as default. Magento can use the native PHP `password_hash` function with Argon 2i algorithm support.
 
 To avoid compromising older passwords that have been hashed with outdated algorithms like `MD5`, the current implementation provides a method to upgrade the hash without changing the original password. In general, the password hash has the following format:
 

src/guides/v2.3/install-gde/prereq/apache.md

@@ -35,7 +35,7 @@ If you are new to all this and need some help getting started, we suggest the fo
 
 ## Important: Apache rewrites and .htaccess {#apache-help-rewrite}
 
-This topic discusses how to enable Apache 2.2 rewrites and specify a setting for the [distributed configuration file, `.htaccess`](http://httpd.apache.org/docs/current/howto/htaccess.html){:target="_blank"}.
+This topic discusses how to enable Apache 2.4 rewrites and specify a setting for the [distributed configuration file, `.htaccess`](http://httpd.apache.org/docs/current/howto/htaccess.html){:target="_blank"}.
 
 Magento uses server rewrites and `.htaccess` to provide directory-level instructions for Apache. The following instructions are included in all of the other sections in this topic as well.
 
@@ -75,19 +75,18 @@ Server built: Jul 22 2014 14:35:32
 *  If Apache is *not* installed, see:
    *  [Installing or upgrading Apache on Ubuntu](#install-prereq-apache-ubuntu)
    *  [Installing Apache on CentOS](#install-prereq-apache-centos)
-*  If Apache 2.2 is installed on Ubuntu 12 *and* you want to use [PHP](https://glossary.magento.com/php) 5.6, see the next section
 
 ## Installing or upgrading Apache on Ubuntu {#install-prereq-apache-ubuntu}
 
 The following sections discusses how to install or upgrade Apache:
 
 *  Install Apache
-*  Upgrade to Apache 2.4 on Ubuntu 12 to use PHP 7+
+*  Upgrade to Apache 2.4 on Ubuntu 12 to use PHP 7.3+
 
 ### Installing Apache on Ubuntu 16, 14, or 12 {#install-prereq-apache-ubuntu-install}
 
 {% collapsible Click to show/hide content %}
-To install the default version of Apache (Ubuntu 14, 16---Apache 2.4, Ubuntu 12---Apache 2.2):
+To install the default version of Apache (Ubuntu 14, 16---Apache 2.4):
 
 1. Install Apache
 
@@ -127,7 +126,7 @@ Next steps
 
 {% collapsible Click to show/hide content %}
 
-To use PHP 5.6 on Ubuntu 12, you must upgrade Apache to version 2.4. (By default, Ubuntu 12 comes with Apache 2.2.)
+To use PHP 7.3 on Ubuntu 12, you must upgrade Apache to version 2.4. (By default, Ubuntu 12 comes with Apache 2.2.)
 
 To upgrade to Apache 2.4:
 
@@ -190,7 +189,7 @@ Installing and configuring Apache is basically a three-step process: install the
 
 ### Installing Apache {#apache-install-centos}
 
-1. Install Apache 2.4 if you haven't already done so.
+1. Install Apache 2.4 if you have not already done so.
 
    ```bash
    yum -y install httpd
@@ -313,9 +312,6 @@ Next steps
 {% collapsible Click to install solve 403 errors %}
 If you encounter 403 Forbidden errors when trying to access the Magento site, you can update your Apache configuration or your virtual host configuration to enable visitors to the site as discussed in one of the following sections:
 
-*  [Solving 403 Forbidden errors for Apache 2.4](#apache-error-2-4)
-*  [Solving 403 Forbidden errors for Apache 2.2](#apache-error-2-2)
-
 ### Solving 403 Forbidden errors for Apache 2.4 {#apache-error-2-4}
 
 To enable website visitors to access your site, use one of the [Require directives](http://httpd.apache.org/docs/2.4/howto/access.html){:target="_blank"}.
@@ -333,24 +329,6 @@ For example:
 
 {:.bs-callout-info}
 The preceding values for `Order` might not work in all cases. For more information, see the [Apache documentation](https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#order){:target="_blank"}.
-
-### Solving 403 Forbidden errors for Apache 2.2 {#apache-error-2-2}
-
-To enable website visitors to access your site, use the [Allow directive](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow){:target="_blank"}.
-
-For example:
-
-```conf
-<Directory /var/www/>
-  Options Indexes FollowSymLinks MultiViews
-  AllowOverride All
-  Order allow,deny
-  Allow from all
-</Directory>
-```
-
-{:.bs-callout-info}
-The preceding values for `Order` might not work in all cases. For more information, see the [Apache documentation](https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order){:target="_blank"}.
 {% endcollapsible %}
 
 {:.ref-header}

src/guides/v2.3/install-gde/prereq/merch_install.md

@@ -21,9 +21,9 @@ If you don't use GoDaddy, you might need to contact your hosting provider's tech
 
 Magento requires the following software to run:
 
-*  Web server: Apache 2.2 or 2.4
-*  Programming language: [PHP](https://glossary.magento.com/php) 5.6.x or 5.5.x
-*  Database: MySQL 5.6.x
+*  Web server: Apache 2.4
+*  Programming language: [PHP](https://glossary.magento.com/php) 7.3
+*  Database: MySQL 5.7.9
 
  {:.bs-callout-info}
 We recommend you contact GoDaddy support to verify all of the preceding are installed and get their assistance if any of the software is not installed.

src/guides/v2.3/install-gde/prereq/nginx.md

@@ -44,20 +44,20 @@ To install and configure `php-fpm`:
 1. Install `php-fpm` and `php-cli`:
 
    ```bash
-   apt-get -y install php7.2-fpm php7.2-cli
+   apt-get -y install php7.3-fpm php7.3-cli
    ```
 
    {:.bs-callout-info}
-   This command installs the latest available version of PHP 7.2.X. See [Magento 2.3.x technology stack requirements]({{ page.baseurl }}/install-gde/system-requirements-tech.html) for supported PHP versions.
+   This command installs the latest available version of PHP 7.3.X. See [Magento technology stack requirements]({{ page.baseurl }}/install-gde/system-requirements-tech.html) for supported PHP versions.
 
 1. Open the `php.ini` files in an editor:
 
    ```bash
-   vim /etc/php/7.2/fpm/php.ini
+   vim /etc/php/7.3/fpm/php.ini
    ```
 
    ```bash
-   vim /etc/php/7.2/cli/php.ini
+   vim /etc/php/7.3/cli/php.ini
    ```
 
 1. Edit both files to match the following lines:
@@ -76,7 +76,7 @@ To install and configure `php-fpm`:
 1. Restart the `php-fpm` service:
 
    ```bash
-   systemctl restart php7.2-fpm
+   systemctl restart php7.3-fpm
    ```
 
 ### Install and configure MySQL
@@ -93,7 +93,7 @@ There are several ways to download the Magento software, including:
 
 *  [Clone the git repository]({{ page.baseurl }}/install-gde/prereq/dev_install.html)
 
-For this example, we'll install using Composer and the command line.
+For this example, we will install using Composer and the command line.
 
 {:.bs-callout-info}
 You cannot use the Web Setup Wizard when installing Magento on nginx. You must use the command line.

src/guides/v2.3/install-gde/prereq/php-settings.md

@@ -11,10 +11,6 @@ redirect_from:
 
 This topic discusses how to set required [PHP](https://glossary.magento.com/php) options.
 
-{:.bs-callout-info}
-All 3rd party libraries now support PHP 7.2.
-If you are interested in participating in Magento Community projects we welcome your help! See our [ZenHub board](https://app.zenhub.com/workspace/o/magento-engcom/php-7.2-support/boards?repos=116423356,116426364,115111902) for a full list of outstanding issues.
-
 <!--{% assign supported_php_versions = site.data.codebase.v2_3.open-source.composer_lock.platform.php | split: "||" %}-->
 {% include install/php-versions-template.md %}
 
@@ -31,7 +27,7 @@ php -v
 If [PHP](https://glossary.magento.com/php) is installed, a message similar to the following displays:
 
 ```terminal
-PHP 7.2.0 (cli) (built: Jan 9 2018 09:23:16) ( NTS )
+PHP 7.3.0 (cli) (built: Aug 14 2019 16:42:46) ( NTS )
 Copyright (c) 1997-2018 The PHP Group
 Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.1.6, Copyright (c) 1999-2018, by Zend Technologies
 ```
@@ -53,10 +49,23 @@ php -m
 ```
 
 to see the list of installed modules. Verify that the listed extensions are installed.
-If any modules are missing, they are added using the same workflow used for installing PHP. For example, if you use `yum` to install PHP, the PHP 7.2 modules can be added with:
+If any modules are missing, they are added using the same workflow used for installing PHP. For example, if you use `yum` to install PHP, the PHP 7.3 modules can be added with:
 
 ```bash
- yum -y install php72u-pdo php72u-mysqlnd php72u-opcache php72u-xml php72u-gd php72u-devel php72u-mysql php72u-intl php72u-mbstring php72u-bcmath php72u-json php72u-iconv php72u-soap
+ yum -y install php73u
+ -pdo php73u
+ -mysqlnd php73u
+ -opcache php73u
+ -xml php73u
+ -gd php73u
+ -devel php73u
+ -mysql php73u
+ -intl php73u
+ -mbstring php73u
+ -bcmath php73u
+ -json php73u
+ -iconv php73u
+ -soap
 ```
 
 ## Check PHP settings

src/guides/v2.3/install-gde/trouble/tshoot_access-browser.md

@@ -14,7 +14,7 @@ redirect_to: https://support.magento.com/hc/en-us/articles/360033117152
 
 ### Symptom: The following message displays when you try to access the Magento storefront or Admin:
 
-Magento supports PHP 7.1.3 or later. Please read [Magento System Requirements]({{ page.baseurl }}/install-gde/system-requirements-tech.html).
+Magento supports PHP 7.3 or later. Please read [Magento System Requirements]({{ page.baseurl }}/install-gde/system-requirements-tech.html).
 
 #### Solution
 

src/guides/v2.4/config-guide/secy/hashing.md

@@ -0,0 +1,55 @@
+---
+group: configuration-guide
+title: Password hashing
+---
+
+Currently Magento uses its own strategy for password hashing, based on different native PHP hashing algorithms. Magento supports multiple algorithms like `MD5`, `SHA256`, or `Argon 2ID13`. If the Sodium extension is installed (installed by default in PHP 7.3), then `Argon 2ID13` will be chosen as the default hashing algorithm. Otherwise, `SHA256` will be as default. Magento can use the native PHP `password_hash` function with Argon 2i algorithm support.
+
+To avoid compromising older passwords that have been hashed with outdated algorithms like `MD5`, the current implementation provides a method to upgrade the hash without changing the original password. In general, the password hash has the following format:
+
+```text
+password_hash:salt:version<n>:version<n>
+```
+
+where `version<n>`...`version<n>` represents all the hash algorithms versions used on the password. Also, the salt is always stored together with the password hash, so we can restore the entire chain of algorithms. An example looks like:
+
+```text
+a853b06f077b686f8a3af80c98acfca763cf10c0e03597c67e756f1c782d1ab0:8qnyO4H1OYIfGCUb:1:2
+```
+
+The first part represents the password hash. The second, `8qnyO4H1OYIfGCUb` is the salt. The last two are the different hash algorithms: 1 is `SHA256` and  2 is `Argon 2ID13`. This means that the customer's password was originally hashed with `SHA256` and after that, the algorithm was updated with `Argon 2ID13` and the hash was re-hashed with Argon.
+
+## Upgrade hash strategy
+
+Consider what the hash upgrade mechanism looks like. Assume that originally, a password was hashed with `MD5` and then the algorithm was updated multiple times with Argon 2ID13. The following diagram shows the hash upgrade flow.
+
+![Hash upgrade workflow]({{ site.baseurl }}/common/images/archi_hash_upgrade_algorithm.png)
+
+Each hash algorithm uses the previous password hash to generate a new hash. Magento does not store the original, raw password.
+
+![Hash upgrade strategy]({{ site.baseurl }}/common/images/archi_hash_upgrade_strategy.png)
+
+As discussed above, the password hash might have multiple hash versions applied to the original password.
+Here is how the password verification mechanism works during a customer authentication.
+
+```php
+def verify(password, hash):
+    restored = password
+
+    hash_map = extract(hash)
+    # iterate through all versions specified in the received hash [md5, sha256, argon2id13]
+    for version in hash_map.get_versions():
+        # generate new hash based on password/previous hash, salt and version
+        restored = hash_func(salt . restored, version)
+
+    # extract only password hash from the hash:salt:version chain
+    hash = hash_map.get_hash()
+
+    return compare(restored, hash)
+```
+
+Since Magento stores all used password hashes versions together with the password hash, we can restore the whole hash chain during the password verification. The hash verification mechanism is similar to the hash upgrade strategy: based on versions stored together with the password hash, the algorithm generates hashes from the provided password and returns the comparison result between hashed password and the database stored hash.
+
+## Implementation
+
+The `\Magento\Framework\Encryption\Encryptor` class is responsible for password hash generation and verification. The [`bin/magento customer:hash:upgrade`](https://devdocs.magento.com/guides/v2.4/reference/cli/magento.html#customerhashupgrade) command upgrades a customer password hash to the latest hash algorithm.