From: Daniel Lowrey Date: Fri, 21 Feb 2014 16:38:15 +0000 (-0700) Subject: Update NEWS/UPGRADING with openssl additions X-Git-Tag: php-5.6.0alpha3~1^2~37 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=58e3fcf54f155869ccd28a8b887b157b26422cb6;p=php Update NEWS/UPGRADING with openssl additions --- diff --git a/NEWS b/NEWS index d27c70288a..f680b345de 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,45 @@ PHP NEWS (Daniel Lowrey) . Fixed bug #66501 (Add EC key support to php_openssl_is_private_key). (Mark Zedwood) + . Fixed Bug #47030 (add new boolean "verify_host" SSL context option + allowing clients to verify names separately from peer certs). + (Daniel Lowrey) + . Fixed Bug #65538 ("cafile" SSL context option now supports stream + wrappers). (Daniel Lowrey) + . New openssl_get_cert_locations() function to aid CA file and peer + verification debugging. (Daniel Lowrey) + . Encrypted stream wrappers now disable TLS compression by default. + (Daniel Lowrey) + . New "capture_session_meta" SSL context option allows encrypted client and + server streams access to negotiated protocol/cipher information. + (Daniel Lowrey) + . New "honor_cipher_order" SSL context option allows servers to prioritize + cipher suites of their choosing when negotiating SSL/TLS handshakes. + (Daniel Lowrey) + . New "single_ecdh_use" and "single_dh_use" SSL context options allow for + improved forward secrecy in encrypted stream servers. (Daniel Lowrey) + . New "dh_param" SSL context option allows stream servers control over + the parameters when negotiating DHE cipher suites. (Daniel Lowrey) + . New "ecdh_curve" SSL context option allowing stream servers to specify + the curve to use when negotiating ephemeral ECDHE ciphers (defaults to + NIST P-256). (Daniel Lowrey) + . New "rsa_key_size" SSL context option gives stream servers control + over the key size (in bits) used for RSA key agreements. (Daniel Lowrey) + . Crypto methods for encrypted client and server streams now use + bitwise flags for fine-grained protocol support. (Daniel Lowrey) + . Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method. + tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2. (Daniel Lowrey) + . Encrypted client streams now enable SNI by default. (Daniel Lowrey) + . Encrypted streams now prioritize ephemeral key agreement and high strength + ciphers by default. (Daniel Lowrey) + . New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher + list. (Daniel Lowrey) + . New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto + methods negotiated encrypted server/client sessions. (Daniel Lowrey) + . Encrypted stream servers now automatically mitigate potential DoS vector + arising from client-initiated TLS renegotiation. New "reneg_limit", + "reneg_window" and "reneg_limit_callback" SSL context options for custom + renegotiation limiting control. (Daniel Lowrey) - Pgsql: . pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL. @@ -52,6 +91,7 @@ PHP NEWS - Openssl . Peer certificates now verified by default in client socket operations (RFC: https://wiki.php.net/rfc/tls-peer-verification). (Daniel Lowrey) + . New openssl.cafile and openssl.capath ini directives. (Daniel Lowrey) 23 Jan 2014, PHP 5.6.0 Alpha 1 - CLI server: diff --git a/UPGRADING b/UPGRADING index f90be01ca1..db97cd2bf1 100755 --- a/UPGRADING +++ b/UPGRADING @@ -38,6 +38,7 @@ PHP X.Y UPGRADE NOTES stream context's "verify_peer" setting. Encrypted transfers delegate to operating system certificate stores by default, so many/most users *should* be unaffected by this transparent security enhancement. + (https://wiki.php.net/rfc/tls-peer-verification) ======================================== 2. New Features @@ -69,7 +70,22 @@ PHP X.Y UPGRADE NOTES - Added openssl crypto method stream context option. -- Added openssl peer verification support for SAN x509 extension +- Added support for SAN x509 extension matching in encrypted streams. + +- Added a range of new SSL context options for improved encrypted stream + security. (https://wiki.php.net/rfc/improved-tls-defaults) + +- Added stream wrapper support for cafile paths when verifying SSL/TLS peers. + +- Added support for independent peer cert and host name verification when + validating encrypted TLS stream peers. + +- Added protection against client-initiated renegotiation DoS in encrypted + stream servers. + +- Added protocol-specific tlsv1.0://, tlsv1.1:// and tlsv1.2:// encryption + stream wrappers. tls:// wrapper now supports TLSv1.1 and TLSv1.2 (previously + only supported TLSv1 method). - Added use function and use const. (https://wiki.php.net/rfc/use_function) @@ -121,6 +137,7 @@ PHP X.Y UPGRADE NOTES Added bool openssl_spki_verify($spkac) Added string openssl_spki_export($spkac) Added string openssl_spki_export_challenge($spkac) + Added array openssl_get_cert_locations() - LDAP: Added ldap_escape($value, $ignore = "", $flags = 0). @@ -181,6 +198,17 @@ PHP X.Y UPGRADE NOTES - Pgsql: PGSQL_DML_ESCAPE int(4096) +- Openssl: + STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT int(9) + STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT int(17) + STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT int(33) + STREAM_CRYPTO_METHOD_ANY_CLIENT int(63) + STREAM_CRYPTO_METHOD_TLSv1_0_SERVER int(8) + STREAM_CRYPTO_METHOD_TLSv1_1_SERVER int(16) + STREAM_CRYPTO_METHOD_TLSv1_2_SERVER int(32) + STREAM_CRYPTO_METHOD_ANY_SERVER int(62) + OPENSSL_DEFAULT_STREAM_CIPHERS string + ======================================== 10. Changes to INI File Handling ======================================== @@ -190,6 +218,10 @@ PHP X.Y UPGRADE NOTES enabled and to recognize ohe value -1 for never populating the global $HTTP_RAW_POST_DATA variable, which will be default in future PHP versions. +- Openssl: + openssl.cafile and openssl.capath ini directives have been added to allow + global CA default specification as necessary. + ======================================== 11. Other Changes ========================================