About the ssltransport option for the Socket client

[mlocati]

We currently accept these values for the ssltransport option of the Socket client:

• ssl ⇒ STREAM_CRYPTO_METHOD_SSLv23_CLIENT
• sslv2 ⇒ STREAM_CRYPTO_METHOD_SSLv2_CLIENT
• sslv3 ⇒ STREAM_CRYPTO_METHOD_SSLv3_CLIENT
• tls ⇒ STREAM_CRYPTO_METHOD_TLS_CLIENT

In particular:

• STREAM_CRYPTO_METHOD_SSLv23_CLIENT
  • evaluates to SSLv2 / SSLv3 for 5.5.0 ≤ PHP ≤ 5.6.6 (reference)
  • evaluates to TLSv1.0 / TLSv1.1 / TLSv1.2 for 5.6.7 ≤ PHP ≤ 7.1.0 (reference)
• STREAM_CRYPTO_METHOD_TLS_CLIENT
  • evaluates to TLSv1.0 / TLSv1.1 / TLSv1.2 for 5.6.0 ≤ PHP ≤ 5.6.6
  • evaluates to TLSv1.0 for 5.6.7 ≤ PHP ≤ 7.1.0

There are some problems with the current implementation:

• the constant values change between different PHP versions, and that leads to portability problems
• we allow specifying the version of SSL, but not the version of TLS
• we don't have a way to allow any protocol (aka the STREAM_CRYPTO_METHOD_ANY_CLIENT option introduced in PHP 5.6.0, which evaluates to SSLv2 / SSLv3 / TLSv1.0 / TLSv1.1 / TLSv1.2)

So, what about defining the following transports?

• ssl to enable sslv2 and sslv3
• sslv2 to enable only sslv2
• sslv3 to enable only sslv3
• tls to enable tlsv1.0 and tlsv1.1 and tlsv1.2
• tlsv1.0 to enable only tlsv1.0
• tlsv1.1 to enable only tlsv1.1
• tlsv1.2 to enable only tlsv1.2
• * to enable any kind of connections

Furthermore, because of security issues, more and more websites disable SSL (both SSLv2 and SSLv3), keeping only TLS connections (see for instance what's doing Google).

So, what about switching from ssl to tls as the default transport?

[ezimuel]

@mlocati this proposal can represent an improvement but it's a big BC break. Especially if we set TLS as default. We should find a different proposal without BC break, to support the new protocols including the options included in PHP 5.6.
Let me know if you have any idea on that, thanks!

[mlocati]

• we could keep the current values of $sslCryptoTypes
• we could keep the current default ssl transport (it's just a default value, people can configure it)

We could add new values to $sslCryptoTypes:

protected static $sslCryptoTypes = [
    // Current values (deprecated)
    'ssl'   => STREAM_CRYPTO_METHOD_SSLv23_CLIENT,
    'sslv2' => STREAM_CRYPTO_METHOD_SSLv2_CLIENT,
    'sslv3' => STREAM_CRYPTO_METHOD_SSLv3_CLIENT,
    'tls'   => STREAM_CRYPTO_METHOD_TLS_CLIENT,
    // New values
    'SSL' => 'SSL', // Enable SSL v2 v3
    'SSLv2' => 'SSLv2', // Enable SSL v2 only
    'SSLv3' => 'SSLv3', // Enable SSL v3 only
    'TLS' => 'TLS', // Enable TLS v1.0 and v1.1 and v1.2
    'TLSv1.0' => 'TLSv1.0', // Enable only TLS v1.0 only
    'TLSv1.1' => 'TLSv1.1', // Enable only TLS v1.2 only
    'TLSv1.2' => 'TLSv1.2', // Enable TLS v1.2 only
    '*' => '*', // Enable any kind of connection
];

[carnage]

I'd suggest NOT including any ssl versions in the new values.

[mlocati]

I'd suggest NOT including any ssl versions in the new values.

I'd disagree: we all know that SSL should be avoided, but we can't assume that nobody uses/needs it...

[weierophinney]

This repository has been closed and moved to laminas/laminas-http; a new issue has been opened at laminas/laminas-http#7.