Skip to content

Add TLSv1.1 and TLSv1.2 support #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2013
Merged

Add TLSv1.1 and TLSv1.2 support #483

merged 1 commit into from
Oct 17, 2013

Conversation

rdlowrey
Copy link
Contributor

@rdlowrey rdlowrey commented Oct 8, 2013

This patch adds TLSv1.1 and TLSv1.2 functionality for encrypted clients and servers. Note that the first OpenSSL version with support for these newer protocols is v1.0.1 and PHP must be built against this version or the new functionality is unavailable.

New Global Constants:

  • STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT
  • STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
  • STREAM_CRYPTO_METHOD_TLSv1_1_SERVER
  • STREAM_CRYPTO_METHOD_TLSv1_2_SERVER

New Stream Wrappers:

  • tlsv1.1://
  • tlsv1.2://

Modified Stream Wrappers:

The existing tls:// stream wrapper is now capable of negotiating TLSv1.0, TLSv1.1 or TLSv1.2 connections when built against OpenSSL >= 1.0.1.

Quick Reference on SSL/TLS:

  • SSL v2 is insecure and must not be used.
  • SSL v3 is very old and obsolete. Because it lacks some key features and because virtually all clients
    support TLS 1.0 and better, you should not support SSL v3 unless you have a very good reason.
  • TLS v1.0 is largely still secure; we do not know of major security flaws when they are used for
    protocols other than HTTP. When used with HTTP, it can almost be made secure with careful
    configuration.
  • TLS v1.1 and v1.2 are without known security issues.

-- SSL/TLS Deployment Best Practices

Note that this patch has no BC implications and should be safe to merge with 5.4 and 5.5 branches.

m6w6
m6w6 reviewed Oct 17, 2013
View reviewed changes
ext/openssl/tests/tlsv1.1_wrapper_001.phpt
<?php
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
$ctx = stream_context_create(array('ssl' => array(
'local_cert' => __DIR__ . '/streams_crypto_method.pem',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the tests fail because of this missing cert?

@m6w6
Copy link
Contributor

m6w6 commented Oct 17, 2013

Hah, I merged ran the tests on PHP-5.5 while this PEM is only in master.
Nevermind.

@m6w6
Copy link
Contributor

m6w6 commented Oct 17, 2013

Merged into PHP-5.5 as 2aaa3d5

@php-pulls php-pulls merged commit 2ddefbd into php:master Oct 17, 2013
@m6w6
Copy link
Contributor

m6w6 commented Oct 17, 2013

Reverted & remerged to master.

@rdlowrey rdlowrey deleted the updated_tls_support branch February 11, 2014 18:58
@dunglas dunglas mentioned this pull request Sep 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rdlowrey @m6w6 @php-pulls