Tags: far-blue/socket
Tags
- Fix crypto stream method for PHP 5.6.6 - Fix issues with general cafile paths inside PHARs - Update certificate bundle for PHP 5.5 legacy crypto support - Update default TLS cipher suites **Important Note** We updated the certificate authority bundle in this release, which is used for users of PHP 5.5, because PHP 5.5 doesn't use the system's trust store yet. With that update, all 1024-bit root certificates have been removed, as they're not secure enough anymore. Issuance from 1024-bit root certificates has been stopped several years ago. Due to a bug in OpenSSL 1.0.1, certificates with a root, which is cross-signed by another 1024-bit root, will fail to validate if the cross-signing 1024-bit root is not in the trust store. This affects for example `google.com` and `yahoo.com`, which both use cross-signed roots, in case of Google _"GeoTrust Global CA"_, which is cross-signed by _"Equifax Secure Certificate Authority"_, which has been removed. If you're using PHP 5.6 or higher, PHP is automatically using the system's trust store to validate certificates. Due to root certificate programs like the one from Ubuntu, Ubuntu 12.04 and 14.04 both still trust _"Equifax Secure Certificate Authority"_, so access to `google.com` and `yahoo.com` will work there. Your distribution is using insecure root certificates then, putting you at risk. It's something the distributions have to fix.
PreviousNext