From: Daniel Lowrey Date: Fri, 21 Feb 2014 19:54:37 +0000 (-0700) Subject: More openssl UPGRADING updates X-Git-Tag: php-5.6.0alpha3~1^2~35 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=865a41a6a3f6b4cfc9d3e253d62bc5a3617cd6dd;p=php More openssl UPGRADING updates --- diff --git a/UPGRADING b/UPGRADING index db97cd2bf1..c45b329c01 100755 --- a/UPGRADING +++ b/UPGRADING @@ -60,35 +60,57 @@ PHP X.Y UPGRADE NOTES use encoding settings honor default_charset. (https://wiki.php.net/rfc/default_encoding) -- The php://input stream is now re-usable and can be used concurrently with +- The php://input stream is now re-usable and can be used concurrently with enable_post_data_reading=0. +- Added use function and use const. + (https://wiki.php.net/rfc/use_function) + - Added gost-crypto (CryptoPro S-box) hash algo. -- Added openssl certificate fingerprint support (inclusive stream context +- Added openssl certificate fingerprint support (inclusive stream context option). -- Added openssl crypto method stream context option. - -- Added support for SAN x509 extension matching in encrypted streams. +- Added support for SAN x509 extension matching when verifing host names in + encrypted streams. - Added a range of new SSL context options for improved encrypted stream - security. (https://wiki.php.net/rfc/improved-tls-defaults) + server security (https://wiki.php.net/rfc/improved-tls-defaults): + + + "honor_cipher_order" allows servers to prioritize cipher suites of their + choosing when negotiating SSL/TLS handshakes. + + "single_ecdh_use" and "single_dh_use" allow for improved forward + secrecy in encrypted stream servers. + + "dh_param" allows specification of pre-generated key generation + parameters when negotiating ephemeral DHE ciphers in stream servers. + + "ecdh_curve" allows stream servers to specify which curve to use when + negotiating ephemeral ECDHE ciphers (defaults to NIST P-256). + + "rsa_key_size" SSL context option gives stream servers control + over the key size (in bits) used when negotiating RSA ciphers. + + "capture_session_meta" if specified stores an array of data describing + the TLS session's protocol/cipher in the "session_meta" SSL context key. -- Added stream wrapper support for cafile paths when verifying SSL/TLS peers. +- Added automatic mitigation against client-initated TLS renegotiation DoS + attacks in encrypted server streams. Renegotiation limiting may be + customized via three new SSL context options: -- Added support for independent peer cert and host name verification when - validating encrypted TLS stream peers. + + "reneg_limit" (number of allowed renegotiations per time window) + + "reneg_window" (renegotiation time window in seconds) + + "reneg_limit_callback" (optional notification callback on limiting) -- Added protection against client-initiated renegotiation DoS in encrypted - stream servers. +- Added "crypto_method" SSL context option for use in encrypted streams. + +- Added stream wrapper support when specifying "cafile" SSL context paths. + +- Independent peer cert and host names validation is now available via a new + "verify_host" SSL context option. - Added protocol-specific tlsv1.0://, tlsv1.1:// and tlsv1.2:// encryption stream wrappers. tls:// wrapper now supports TLSv1.1 and TLSv1.2 (previously - only supported TLSv1 method). + only supported TLSv1). -- Added use function and use const. - (https://wiki.php.net/rfc/use_function) +- Stream crypto method specification now accepts flags instead of values + allowing support for multiple discrete protocols in a given stream. ======================================== 2. Changes in SAPI modules