On Wed, Jan 29, 2014 at 7:16 PM, Pádraic Brady wrote:
> I think we should hold off on throwing errors until v3 drops to a
> more negligible level. The current supported range on Firefox,
> for example, has a minimum of SSLv3. Yes, this is hardly
> paradise, but so long as we're negotiated from TLS 1.2 down
> (presumably the case at present!) then we should let users
> accept the risk for SSLv3 only sites without kicking up too much
> of a fuss for now.
After thinking about it a bit I think I agree on this front and will strike
the recommendations for E_WARNING from the RFC. However, I so still think
it makes sense to issue an E_DEPRECATED on the use of the sslv2:// and
sslv3:// stream wrappers in an effort to funnel users into the more
generalized ssl:// and tls:// wrappers. As I mentioned in the updated RFC
text I think it makes sense to deprecate the specific wrappers in 5.6 and
look to remove them in 5.7 as they're really unnecessary in light of the
ability to specify flags for the specific individual protocols you wish to
use on a given stream.