Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101215
Return-Path: <lists@rhsoft.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20106 invoked from network); 1 Dec 2017 23:35:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Dec 2017 23:35:25 -0000
Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender)
X-PHP-List-Original-Sender: lists@rhsoft.net
X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net  
Received: from [91.118.73.15] ([91.118.73.15:29031] helo=mail.thelounge.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E8/B0-09988-A37E12A5 for <internals@lists.php.net>; Fri, 01 Dec 2017 18:35:25 -0500
Received: from srv-rhsoft.rhsoft.net  (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3ypVxg267LzXMd
	for <internals@lists.php.net>; Sat,  2 Dec 2017 00:35:19 +0100 (CET)
To: PHP Internals <internals@lists.php.net>
References: <a64088a5-e93b-3450-fe8c-8ba6ac9d851a@php.net>
 <CADNQb0VA+-E2B21EZCfzau7v0_0=SeheHB+cxZCsx7RoVNn8jA@mail.gmail.com>
 <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net>
 <CANUQDCjsz31t-VqbLeUOc-qJd=wzQ8Tbk2UGhY-74xw+JaGHUA@mail.gmail.com>
 <e8b900c3-3d76-9fe0-7b96-3c1f468d160e@rhsoft.net>
 <CAESVnVqhNgge2dzHTbf1bCR0unGCYwEeDqS2ErWdyK34M26k6g@mail.gmail.com>
Message-ID: <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net>
Date: Sat, 2 Dec 2017 00:35:19 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CAESVnVqhNgge2dzHTbf1bCR0unGCYwEeDqS2ErWdyK34M26k6g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: de-CH
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP 7.2.0 Released
From: lists@rhsoft.net ("lists@rhsoft.net")



Am 01.12.2017 um 22:49 schrieb Sara Golemon:
> On Fri, Dec 1, 2017 at 11:52 AM, lists@rhsoft.net <lists@rhsoft.net> wrote:
>> yes and since nobody ever sould override the defaults in application code
>> for obvious reasons that's the problem, you shouldn't mangle with openssl
>> defaults in general and let openssl do the handshake which will end in the
>> server side perferred cipher and so in the most secure
>>
>> what PHP does is making encryption weaker as it should be
>>
> Um.  Did you look at the diff in question?
> 
> The old default was tls 1.0 only, the new default is tls 1.0, 1.1, or 1.2.
> The new default allows OpenSSL to negotiate for a preferred method
> where it couldn't before.
> The change literally does the opposite of what you're talking about

for *now* and then when TLS 1.3 is out, the openssl on the system 
supports TLS 1.3 PHP will hang on TLS1.2 as it did with TLS1.0?

the main question is why does PHP need to to *anything* here instead 
hand the TLS handshake completly over to openssl? in that case even PHP5 
could perfer TLS1.2 ciphers against a sevrer that orders them on top 
without touch any line of PHP's code

"the opposite of what you're talking about" is plain wrong when you look 
at my first response
_________________________

     Am 30.11.2017 um 17:41 schrieb Hannes Magnusson:
      >> - Improve TLS constants to sane values
      >
      > This worries me a lot. Last time someone thought it was a good
     idea they
      > introduced security vulnerability for all apps that used them.

     that PHP now instead of ECDHE-RSA-AES128-SHA uses
     ECDHE-RSA-AES128-GCM-SHA256 for TLS connections (and before 7.1 with
     openssl 1.1 it was not able to use ECHDE at all) or that PHP don't let
     the crypto library alone at all?

     at least it got better with 7.2