The extension version check uses the file_downloader class where fsockopen() is used with a tls:// transport: https://github.com/phpbb/phpbb/blob/release-3.2.2/phpBB/phpbb/file_downloader.php#L45

It was introduced in this PR: https://github.com/phpbb/phpbb/pull/3929

Historically, the behavior of tls:// was to only allow TLS 1.0 connections. This was changed in PHP 5.6.0 to allow TLS 1.0, 1.1 or 1.2: https://github.com/php/php-src/commit/3a9829af2062527fb4e5cb11eb4ac3e045d0b370#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R176

In PHP 5.6.7, this change was reverted for backward compatibility reasons: https://github.com/php/php-src/commit/10bc5fd4c4c8e1dd57bd911b086e9872a56300a0#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R178

In above revert commit, you can also see that the ssl:// transport allows establishing TLS 1.0, 1.1 and 1.2 connection (and no SSLvX connections).

In PHP 7.2, the behavior was changed again. tls:// and ssl:// now do the same and allow TLS 1.0, 1.1 and 1.{{2 }}connections: https://github.com/php/php-src/commit/bec91e1117fd3527897cde2f8a26eab9a20fa3dc#diff-714485dc5d2ba8617ba0cb2dbfb7cd36R176

For this reason I think the file_downloader should be using ssl://. However, a side effect of that change would be that users with PHP version ∈ [5.6.0, 5.6.6] can only establish SSLv2 and SSLSv3 connections, and no TLS at all.

Pertinent PHP bug reports:
https://bugs.php.net/bug.php?id=69195
https://bugs.php.net/bug.php?id=69345