Skip to content

Instantly share code, notes, and snippets.

@rdlowrey
Created February 16, 2014 17:07
Show Gist options
  • Save rdlowrey/9037334 to your computer and use it in GitHub Desktop.
Save rdlowrey/9037334 to your computer and use it in GitHub Desktop.
SSL/TLS improvements in PHP 5.6

[RFC] TLS Peer Verification

  • Verify peer certificates in client streams by default
  • Use operating system managed default cert stores if not otherwise specified
  • Windows is still an issue as it uses different cert format (I'm working on it)

[RFC] Improved TLS Defaults

  • Makes everything SSL/TLS more secure without any user knowledge required
  • Vastly improved support for encrypted stream servers (a-la node.js)
  • Improved server support for perfect forward secrecy (PFS)
  • New SSL context options/functions to expose configuration to userland

Improved CA support

Fine-Grained Peer/Host Verification Control

SAN x509 Extension Support

  • Client-side peer verification is now robust for high-security applications. Without SAN matching peer verification was extremely limited in terms of usefulnees.

Trivial Peer Fingerprint Verification

  • Added by Tjerk
  • The CA system is difficult to trust in the face of sophisticated attackers (and governments)
  • Streams can now pass a "peer_fingerprint" context option to bypass CA verification and check against a known certificate fingerprint hash for maximum security

Client Renegotiation DoS Mitigation

  • TLS allows clients to renegotiate certain aspects of a session. Unfortunately, renegotiation disproportionately taxes servers relative to clients and leads to a potential vector for denial-of-service attacks against encrypted servers.
  • I've got a patch in the works now and should be able to merge it this week
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment