Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101213
Return-Path: <lists@rhsoft.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3933 invoked from network); 1 Dec 2017 16:52:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Dec 2017 16:52:21 -0000
Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender)
X-PHP-List-Original-Sender: lists@rhsoft.net
X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net  
Received: from [91.118.73.15] ([91.118.73.15:50753] helo=mail.thelounge.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DE/54-35031-4C8812A5 for <internals@lists.php.net>; Fri, 01 Dec 2017 11:52:21 -0500
Received: from srv-rhsoft.rhsoft.net  (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3ypL0b50JgzXMd
	for <internals@lists.php.net>; Fri,  1 Dec 2017 17:52:15 +0100 (CET)
To: PHP Internals <internals@lists.php.net>
References: <a64088a5-e93b-3450-fe8c-8ba6ac9d851a@php.net>
 <CADNQb0VA+-E2B21EZCfzau7v0_0=SeheHB+cxZCsx7RoVNn8jA@mail.gmail.com>
 <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net>
 <CANUQDCjsz31t-VqbLeUOc-qJd=wzQ8Tbk2UGhY-74xw+JaGHUA@mail.gmail.com>
Message-ID: <e8b900c3-3d76-9fe0-7b96-3c1f468d160e@rhsoft.net>
Date: Fri, 1 Dec 2017 17:52:15 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CANUQDCjsz31t-VqbLeUOc-qJd=wzQ8Tbk2UGhY-74xw+JaGHUA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: de-CH
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP 7.2.0 Released
From: lists@rhsoft.net ("lists@rhsoft.net")



Am 01.12.2017 um 17:44 schrieb Niklas Keller:
> lists@rhsoft.net <mailto:lists@rhsoft.net> <lists@rhsoft.net 
> <mailto:lists@rhsoft.net>> schrieb am Fr., 1. Dez. 2017, 17:13:
> 
> 
> 
>     Am 30.11.2017 um 17:41 schrieb Hannes Magnusson:
>      >> - Improve TLS constants to sane values
>      >
>      > This worries me a lot. Last time someone thought it was a good
>     idea they
>      > introduced security vulnerability for all apps that used them.
> 
>     that PHP now instead of ECDHE-RSA-AES128-SHA uses
>     ECDHE-RSA-AES128-GCM-SHA256 for TLS connections (and before 7.1 with
>     openssl 1.1 it was not able to use ECHDE at all) or that PHP don't let
>     the crypto library alone at all?
> 
>     at least it got better with 7.2
> 
> We only changed the defaults in 7.2, it was possible to use the same 
> features before, except for the security level
yes and since nobody ever sould override the defaults in application 
code for obvious reasons that's the problem, you shouldn't mangle with 
openssl defaults in general and let openssl do the handshake which will 
end in the server side perferred cipher and so in the most secure

what PHP does is making encryption weaker as it hsould be

above i talk about encrypted connection to mysqld

and *no* if our only cipher on the server is ECDHE-RSA-AES128-GCM-SHA256 
anything before PHP 7.2 won't connect at all