Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101230 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 58960 invoked from network); 4 Dec 2017 18:36:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Dec 2017 18:36:08 -0000 Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: lists@rhsoft.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:30091] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 88/33-28358-795952A5 for ; Mon, 04 Dec 2017 13:36:08 -0500 Received: from srv-rhsoft.rhsoft.net (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3yrD8z4KRFzXMR for ; Mon, 4 Dec 2017 19:36:03 +0100 (CET) To: internals@lists.php.net References: <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net> <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net> <35e8f8c5-8fe0-702b-f304-890cf902b390@rhsoft.net> Message-ID: Date: Mon, 4 Dec 2017 19:36:03 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <35e8f8c5-8fe0-702b-f304-890cf902b390@rhsoft.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-CH Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] PHP 7.2.0 Released From: lists@rhsoft.net ("lists@rhsoft.net") and to be clear here: a client when connecting to a server configured like below has to respect the cipher order of the server while https://www.ssllabs.com/ssltest/ exists for years to give dministrators of the server some help and which clients are using which cipher [harry@srv-rhsoft:~]$ openssl s_client -connect localhost:443 -servername localhost ............. New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 ________________________________________ Handshake Simulation for servers with ECDSA/RSA dual stack: OpenSSL 1.0.1l R EC 256 (SHA256) TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS OpenSSL 1.0.2e R EC 256 (SHA256) TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS ________________________________________ in case the server has only a RSA certificate: OpenSSL 1.0.1l R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS OpenSSL 1.0.2e R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS ________________________________________ SSLHonorCipherOrder On SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA Am 04.12.2017 um 19:18 schrieb lists@rhsoft.net: > Am 04.12.2017 um 18:36 schrieb Sara Golemon: >> On Fri, Dec 1, 2017 at 6:35 PM, lists@rhsoft.net >> wrote: >>> the main question is why does PHP need to to *anything* here instead >>> hand >>> the TLS handshake completly over to openssl? in that case even PHP5 >>> could >>> perfer TLS1.2 ciphers against a sevrer that orders them on top >>> without touch >>> any line of PHP's code >>> >> Because the SSL API in OpenSSL that PHP uses doesn't let you say: >> "Just give me the best method you can" >> >> There may be another SSL API that does, but that's more than just "set >> the value to any and be done with it" > > and how does other software like the apache benchmark tool "ab" this for > as long as i can think which is also linked against openssl? > > [harry@srv-rhsoft:~]$ ab -c 1 -n 1 https://localhost/ > This is ApacheBench, Version 2.3 <$Revision: 1807734 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking localhost (be patient).....done > > Server Software: > Server Hostname:        localhost > Server Port:            443 > SSL/TLS Protocol:       TLSv1.2,ECDHE-ECDSA-AES128-GCM-SHA256,256,128 > TLS Server Name:        localhost > ______________________ > > [harry@srv-rhsoft:~]$ ldd /usr/bin/ab >         linux-vdso.so.1 (0x00007ffd015cc000) >         libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fb83e962000) >         libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fb83e4d7000) >         libaprutil-1.so.0 => /lib64/libaprutil-1.so.0 (0x00007fb83ed96000) >         libapr-1.so.0 => /lib64/libapr-1.so.0 (0x00007fb83ed5a000) >         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb83e2b8000) >         libm.so.6 => /lib64/libm.so.6 (0x00007fb83dfa2000) >         libc.so.6 => /lib64/libc.so.6 (0x00007fb83dbcd000) >         libz.so.1 => /lib64/libz.so.1 (0x00007fb83d9b6000) >         libdl.so.2 => /lib64/libdl.so.2 (0x00007fb83d7b2000) >         libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fb83d5ad000) >         libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fb83d377000) >         libexpat.so.1 => /lib64/libexpat.so.1 (0x00007fb83d144000) >         /lib64/ld-linux-x86-64.so.2 (0x00007fb83ebce000) >         libgomp.so.1 => /lib64/libgomp.so.1 (0x00007fb83cf15000) >         libfreebl3.so => /lib64/libfreebl3.so (0x00007fb83cd12000) >