Cleanup all SSLv2 code, whatever OpenSSL version is #1826
Conversation
|
Open to discussion ;) I think 7.0.6 is a good candidate for this |
|
I'm not really sure what's the issue here that it has to target bug fixing release. SSLv2 and SSLv3 has not been negotiated for SSLv23 (ssl and https streams for example) for some time: php-src/main/streams/php_stream_transport.h Line 170 in 48e3459 The only thing that this does is removing streams that explicitly asking for SSLv2 and SSLv3. Such users already know what they want if they use these streams. It's like if you want to remove all weak ciphers from openssl_encrypt because they are weak. I don't think that we should do that - especially not in bug fixing release because it is not a bug. It's of course important to have a sensible defaults and not negotiate SSLv2 and SSLv3 by default but that's already done. That being said, I wouldn't be against removing sslv2 stream in 7.1 . However the sslv3 should be kept as it's still supported by OpenSSL 1.1 and might be useful for some inter-operability cases. |
|
Just to correct my previous comment. This is of course doesn't remove sslv3 but just sslv2. In any case this is not negotiated by default as I said. So I don't see any reason why this should be removed in bug fixing release. |
|
Comment on behalf of bukka at php.net: Merged in 839dc42 |
SSLv2 is deprecated and unsecure
Recent OpenSSL version have drop it
Linux distributions have already disable (with older OpenSSL version)
So this is mostly a cleanup, which ensure SSLv2 is never available even when build with an old and unsecure OpenSSL version.