Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101216 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24185 invoked from network); 2 Dec 2017 01:08:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Dec 2017 01:08:52 -0000 Authentication-Results: pb1.pair.com header.from=walterp@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=walterp@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.176 as permitted sender) X-PHP-List-Original-Sender: walterp@gmail.com X-Host-Fingerprint: 209.85.220.176 mail-qk0-f176.google.com Received: from [209.85.220.176] ([209.85.220.176:41714] helo=mail-qk0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 28/11-09988-22DF12A5 for ; Fri, 01 Dec 2017 20:08:50 -0500 Received: by mail-qk0-f176.google.com with SMTP id r184so15415316qke.8 for ; Fri, 01 Dec 2017 17:08:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=gPRQ5N3dt8OCJnwRC+LHa29MLhZHmUbodbScXwZEDnw=; b=UIqJkSgNszJJay/J0Bkzu6r+XD+vZd5aSh02C06GmgAS448XXZF8f+t0VUwrJ+VBUJ VT2KZ+AJkcA+50EcwGCgpw2slXh6ut3DmaNOhxI8rQIk5cmQDpNLGwJoD5Xda+Zn1LXV vMkYTXRK9CZOKe2kKeue02EJG3+0Abj1/QrLLuLuTrJGQjpKWKq7aGg3fzrBT2iDf4IY i5DIDFmyVuB+8p630bCRicC0lNOMU/w4Bi3RszZGWK/HV5WZ7tJTnDegU2OIWemwlR6x ksAE1xfknrnio8mVBt+o8FYC4oYut4oihFMlHC3Cktar3n/MTSH3RS+S7Lx+dZTD+tJi jr4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=gPRQ5N3dt8OCJnwRC+LHa29MLhZHmUbodbScXwZEDnw=; b=l3h0FL3t9JyKbIGujpj+5tCmu0bwCb1ZGNjInY26qHOymIWJ+B/kroACxLmK/1qmmK hrSLWotliDtRYw9uyp8+ZfZ+t9NbWa3xZbmwIeYNUm3gEyijTgK6hRRKpMFmahuQdl8y 7pWZtfaa3BceOWPjSdXgWr98Y1Rcg7QBdC45juQYmiotZ+fNskxgFAw/I7T4mfYHp1kp Tk7/Z6s46/Y4O3vZ/b9PSCEVFC9aOKJJA9N3SthxiqPDlOuxyzVzaGYoYvliVTUIlmoS N+aIcoNDyMlQu0z6uMFlC2oFAygznf+DglK58w1AOjPA3Y/0DLJ+0d/BHuXR/wWdxB7Z Yu3w== X-Gm-Message-State: AKGB3mLuj9N/u1nWu0VmMC1lHi+SWjI2HbSpyUTLoPm8Y+ZAQRWp3hmR 0kFo6vqb1t2bwSQ/rkDAM3e8xpR6p5iVGi0kg3o= X-Google-Smtp-Source: AGs4zMat3JCwWkJF1PYmJ3p1+N1EPXdOva6HgI6UTfNEAwmPXcwDu2T/0n8itv6YaLZYyHeM+SfhPYJSUzoxVtCQJcc= X-Received: by 10.55.222.12 with SMTP id h12mr7957808qkj.14.1512176927566; Fri, 01 Dec 2017 17:08:47 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.154.68 with HTTP; Fri, 1 Dec 2017 17:08:47 -0800 (PST) In-Reply-To: <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net> References: <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net> <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net> Date: Fri, 1 Dec 2017 17:08:47 -0800 Message-ID: To: PHP Internals Content-Type: multipart/alternative; boundary="089e082dc1d09af0df055f5120d1" Subject: Re: [PHP-DEV] PHP 7.2.0 Released From: walterp@gmail.com (Walter Parker) --089e082dc1d09af0df055f5120d1 Content-Type: text/plain; charset="UTF-8" On Fri, Dec 1, 2017 at 3:35 PM, lists@rhsoft.net wrote: > > > Am 01.12.2017 um 22:49 schrieb Sara Golemon: > >> On Fri, Dec 1, 2017 at 11:52 AM, lists@rhsoft.net >> wrote: >> >>> yes and since nobody ever sould override the defaults in application code >>> for obvious reasons that's the problem, you shouldn't mangle with openssl >>> defaults in general and let openssl do the handshake which will end in >>> the >>> server side perferred cipher and so in the most secure >>> >>> what PHP does is making encryption weaker as it should be >>> >>> Um. Did you look at the diff in question? >> >> The old default was tls 1.0 only, the new default is tls 1.0, 1.1, or 1.2. >> The new default allows OpenSSL to negotiate for a preferred method >> where it couldn't before. >> The change literally does the opposite of what you're talking about >> > > for *now* and then when TLS 1.3 is out, the openssl on the system supports > TLS 1.3 PHP will hang on TLS1.2 as it did with TLS1.0? > > the main question is why does PHP need to to *anything* here instead hand > the TLS handshake completly over to openssl? in that case even PHP5 could > perfer TLS1.2 ciphers against a sevrer that orders them on top without > touch any line of PHP's code > > "the opposite of what you're talking about" is plain wrong when you look > at my first response > _________________________ > > Am 30.11.2017 um 17:41 schrieb Hannes Magnusson: > >> - Improve TLS constants to sane values > > > > This worries me a lot. Last time someone thought it was a good > idea they > > introduced security vulnerability for all apps that used them. > > that PHP now instead of ECDHE-RSA-AES128-SHA uses > ECDHE-RSA-AES128-GCM-SHA256 for TLS connections (and before 7.1 with > openssl 1.1 it was not able to use ECHDE at all) or that PHP don't let > the crypto library alone at all? > > at least it got better with 7.2 > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Lists, I fail to see how Sara was wrong and you are right. In the old PHP, it was TLS 1.0 In the new PHP. it is TLS 1.2, TLS1.1, TLS1.3 When TLS1.3 comes out, old PHP will use only TLS1.0. <- This doesn't work today for many sites The new PHP will support TLS1.2, TLS 1.1, TLS 1.0 <- Still stronger that the older version (required for many sites today) When the openssl version that comes out to support the IETF final release of TLS1.3 comes out in a few years, the openssl updates will be easier to apply to the newest code base. How many older PHP (5.X) systems will upgrade to (or even be able to upgrade) to the newest openssl library? As built right now, none of those would get TLS1.3 out of the box. If you want the version selection moved completely to openssl, you should write an RFC for that. The current idea (where TLS1.3 is added to the list of defaults once the software is release) vs an undefined system where it is handled magically at a lower level doesn't appear to be more secure. Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis --089e082dc1d09af0df055f5120d1--