On the Docnet.nu blog today they've kicked off a series looking at the use of streams and SSL in PHP and asking if you're doing it wrong in your current applications. The focus is more on the security aspect, breaking it down into a set of common problems (and how to work around them).
The upcoming PHP 5.6 release brings with it a number of improvements to encrypted PHP streams, both internally and externally. In these articles I will try to cover the most important changes, and how they affect your code. This article will focus on how to get the best security level in code that needs to be run on PHP versions below 5.6, and highlighting some of the gaps in the currently available functionality. Version 5.4.13 is the earliest version that supports all the options described below - and if you are running something earlier than this, then you really should consider upgrading to at least the latest version of the 5.4 series 1.
Their list is made up of six different problems:
- Problem 1: Peer Verification
- Problem 2: Cipher Lists
- Problem 3: Protocol Support
- Problem 4: TLS Compression Attack Vulnerability
- Problem 5: Cipher Order
- Problem 6: TLS Renegotiation Attacks
Each problem comes with a brief description of what it is and why it's an issues. Some also include code snippets showing how to correct the issue, usually relatively simply.