Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101217
Return-Path: <lists@rhsoft.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33077 invoked from network); 2 Dec 2017 05:09:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Dec 2017 05:09:04 -0000
Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender)
X-PHP-List-Original-Sender: lists@rhsoft.net
X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net  
Received: from [91.118.73.15] ([91.118.73.15:39201] helo=mail.thelounge.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 20/A1-09988-F65322A5 for <internals@lists.php.net>; Sat, 02 Dec 2017 00:09:04 -0500
Received: from srv-rhsoft.rhsoft.net  (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3ypfLg6VRgzXMd
	for <internals@lists.php.net>; Sat,  2 Dec 2017 06:08:59 +0100 (CET)
To: internals@lists.php.net
References: <a64088a5-e93b-3450-fe8c-8ba6ac9d851a@php.net>
 <CADNQb0VA+-E2B21EZCfzau7v0_0=SeheHB+cxZCsx7RoVNn8jA@mail.gmail.com>
 <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net>
 <CANUQDCjsz31t-VqbLeUOc-qJd=wzQ8Tbk2UGhY-74xw+JaGHUA@mail.gmail.com>
 <e8b900c3-3d76-9fe0-7b96-3c1f468d160e@rhsoft.net>
 <CAESVnVqhNgge2dzHTbf1bCR0unGCYwEeDqS2ErWdyK34M26k6g@mail.gmail.com>
 <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net>
 <CAMPTd_CfJPFb+0Z+6CM7a-ReAR-SDttOHEzXM2u-YjxVdj4LrA@mail.gmail.com>
Message-ID: <478772c2-939b-d4c1-8496-1151cd99c149@rhsoft.net>
Date: Sat, 2 Dec 2017 06:08:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CAMPTd_CfJPFb+0Z+6CM7a-ReAR-SDttOHEzXM2u-YjxVdj4LrA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: de-CH
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP 7.2.0 Released
From: lists@rhsoft.net ("lists@rhsoft.net")



Am 02.12.2017 um 02:08 schrieb Walter Parker:
> Lists, I fail to see how Sara was wrong and you are right.
> In the old PHP, it was TLS 1.0

bad enough

> In the new PHP. it is TLS 1.2, TLS1.1, TLS1.3

you surely meant 1.0 instead 1.3 here

> When TLS1.3 comes out, old PHP will use only TLS1.0. <- This doesn't work
> today for many sites

it should'nt have been used for *many* years

> The new PHP will support TLS1.2, TLS 1.1, TLS 1.0 <- Still stronger that
> the older version (required for many sites today)

yeah, but why do i need PHP 7.2 for get such basics right which openssl 
and every other software on the system supports out-of-the-box for many 
years?

> When the openssl version that comes out to support the IETF final release
> of TLS1.3 comes out in a few years, the openssl updates will be easier to
> apply to the newest code base.

and that's plain wrong - period

> How many older PHP (5.X) systems will upgrade to (or even be able to
> upgrade) to the newest openssl library?

they could have been used TLS1.2 years before PHP 7.2 was even 
considered withgout that wrong design of how to hanlde TLS handshakes

> As built right now, none of those would get TLS1.3 out of the box.

beause nobody learnt from the past mistakes

> If you want the version selection moved completely to openssl, you should
> write an RFC for that.

that should have been common sense by doing the changes we are talking about

> The current idea (where TLS1.3 is added to the list of defaults once the
> software is release) vs an undefined system where it is handled magically
> at a lower level doesn't appear to be more secure

surely, openssl's job is to handle encryption and handsahkes, PHP failed 
in this area proveable and has no bunsiness at all in that context