Will TLS 1.0 and TLS 1.1 be permanently disabled in a future release?

Yes, and there will be a way to disable them via an environment variable or in the .

Ini file (see below).

Why? We have decided to remove TLS 1.0 and TLS 1.1 as they are vulnerable to POODLE attacks and can also make websites and network connections vulnerable to downgrade attacks if those protocols are used.

However, there are many sites and applications still using these protocols for which security is not a priority. For example, many WordPress installations (the world's most popular CMS platform) still use these protocols because of their compatibility with older browsers. In the past it was possible to use a browser extension to block TLS 1. But these browser extensions may have been removed in future releases.

For those who want to disable TLS 1.1, the following environment variable can be used: http.socket.tlsdisabletls11=1

There will be a way to configure this value at installation time, and this value will persist until the next upgrade (which will be approximately 6 months). You can also modify this setting in the .ini file if you have SSH access. If you use the .ini file you will need to specify the location of the .ini file using the following configuration directive:

Http.tlsini=/etc/php5/apache2/php.ini

Can I keep using older versions of SSL or TLS? Yes, but we recommend upgrading. The old protocol versions will become obsolete soon.

If you are still using a custom build of OpenSSL you can upgrade to 1.2r (or newer), or use an updated PHP build (the first version of PHP with TLS 1.2 support was PHP 5.3).

How will TLS 1.1 be removed? We are developing a new feature that enables you to disable the use of TLS 1.1 for specific requests. When this new feature is available it will provide a configurable method to exclude specific protocols and/or protocols from the server certificate (ie we would disable the use of TLS 1.1 for all client certificates but enable the use of TLS 1.2 for client certificates).

Is TLS 1.1 vulnerable?

The recent discussion about TLS 1.

1 on Hacker News (and elsewhere) has been a bit confusing. A lot of the criticism seems to be directed at the protocol and the standards documents, and a lot of it looks like FUD (Fear, Uncertainty and Doubt).

I'm going to address these issues in this blog post. If you disagree with any of what I say here, I'd appreciate it if you let me know in the comments. I'm more than happy to respond.

TL;DR. There is no need to disable TLS 1. If an application wants to use TLS 1.1 then it can do so.

TLS 1.1 is vulnerable to a padding oracle attack, and other attacks. To exploit this vulnerability you would have to have control of the client in a way that you couldn't obtain from a network intercept. This attack cannot be used to downgrade the protocol.1 is vulnerable to a BEAST attack. However, modern web browsers already mitigate this attack for websites. It is unclear whether a website that supports only TLS 1.0 is vulnerable to this attack.

In TLS 1.1 we have included some mechanisms to mitigate the BEAST attack (eg changecipherspec) so we're not seeing a lot of sites using this attack. If you want to ensure that your site isn't vulnerable to this attack then you should use TLS 1.2.

We have added some new resumption mechanisms to TLS 1.1 so we have a strong reason to believe that this won't be a problem. For example:

It's possible to use the same keys and certificates for a client and server, which means that any client that connects to a server can be attacked at any time. However, a compromise of a client should not allow a malicious server to impersonate a client.

A client doesn't need to use a certificate chain that starts with a trusted root certificate. This means that a malicious root certificate authority can't compromise all clients.1 only allows a maximum of three messages in a session, whereas TLS 1.2 allows a maximum of eight messages.

How long is TLS 1.2 supported?

Answer.

TLS 1.2 has a planned lifetime of 3 years, according to the PKIX Web Site. It's unclear if TLS 1.2 will be supported past 3 years.

You are right. This information is in PKIX (RFC 5246).

How secure is AES? AES can be used in both client and server implementations, and has been proven to provide security equivalent to 256-bit ciphers used in TLS 1.0 and above. AES is considered as the standard ciphers for TLS 1.

Why was TLS 1.1 and TLS 1.2 deprecated?
Because the IETF wanted to see how TLS 1.2 would work under realistic conditions (eg, clients and servers using various non-TLS protocols for their own purposes).2 was originally specified for compatibility with TLS 1.