Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101240 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 8647 invoked from network); 5 Dec 2017 05:52:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Dec 2017 05:52:27 -0000 Authentication-Results: pb1.pair.com smtp.mail=walterp@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=walterp@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.182 as permitted sender) X-PHP-List-Original-Sender: walterp@gmail.com X-Host-Fingerprint: 209.85.216.182 mail-qt0-f182.google.com Received: from [209.85.216.182] ([209.85.216.182:45620] helo=mail-qt0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C5/97-28358-A14362A5 for ; Tue, 05 Dec 2017 00:52:27 -0500 Received: by mail-qt0-f182.google.com with SMTP id g10so26537456qtj.12 for ; Mon, 04 Dec 2017 21:52:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=F1zd7RUNZGnNc1Rbl5IGY3Q6wNdGbWk+v8VzUTdnQsE=; b=eVhQwoyCuYWWWdPjGjHeJvEnkez4lJARhqk+xXnWzdrbekLIwv2ZZ/g8LV6OoKsv/3 RY/OoO5JQK8ew6YbCQ5rzththxt/Q8MfBTxl3KzHVCTLBCCW2SS5y74/E36CvYhEMnGW mhlQpyRp7VIRIlmuYoVj3WdsNi1qM2g7tIqPO8R3snwFkslU+/mc0GnJ6bbvOGou5rph zapcC3Y+TUgLBqH+UdzRjQTuM5hiqn5eh/yZgw0PAqtS7AE44ZB08DDqYdln35VIFBlA QIHZHkpMv6WMn3v6vkQmeUJ42q06muunQz/QbD0TuULitJpudxiuhoUDJy+SuBdrj0TJ o/eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=F1zd7RUNZGnNc1Rbl5IGY3Q6wNdGbWk+v8VzUTdnQsE=; b=O7UjjdpPxnbYuppEgU81wG0xn7jYdP2BF0akXCww8LJuFvAedVuiBuyXmboClT3FN0 6lYMzFb9rrZ6+pADfpJsb44WzVeyHOyXyGEQH3Qq0+kgZZdgODaKsgZB/FTOXgmTcIWV F3DSLXf+JUdJGHDx2MTFQZ14Z2O+ZFVneVPfaWpeKiHkaxwy/vpqWkRTAfacaS9ltr7a V9PfXYn3HJVgLTNBvDDf+CjqWlVsY7Yj92nwQm45X5RUED+wjhbLPo/8NjSaC0nVuXPo 1o6WmQTQkT/+03dAfCN4d0hxI/JNe8Os51bDP+7/G3oRBPLBfY7qms27x5c3lR4BCl2K 97qQ== X-Gm-Message-State: AKGB3mKuqOt+fZWT4E1J9aZlM8/FPBIklOx7eJ1XLwroBzIccUxT+Cxl fkMEVwxj2a3AhUN1PaIbTvK1VnXrI/J1JefqID0= X-Google-Smtp-Source: AGs4zMbYiuCzclEK8Tk4xK2Bo76Up0KjGBCRepsj3PUdIIEHFpesMAzP7+jnoVd0teykyIGXX/o5/zkTYXArjeri9+I= X-Received: by 10.237.60.117 with SMTP id u50mr746149qte.6.1512453144217; Mon, 04 Dec 2017 21:52:24 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.154.68 with HTTP; Mon, 4 Dec 2017 21:52:23 -0800 (PST) In-Reply-To: <465bb952-7272-59fd-2232-10b41cd5efaf@rhsoft.net> References: <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net> <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net> <35e8f8c5-8fe0-702b-f304-890cf902b390@rhsoft.net> <10a39b35-57e2-d6c4-ea3a-75b47d8df514@rhsoft.net> <465bb952-7272-59fd-2232-10b41cd5efaf@rhsoft.net> Date: Mon, 4 Dec 2017 21:52:23 -0800 Message-ID: To: "lists@rhsoft.net" Cc: PHP Internals Content-Type: multipart/alternative; boundary="94eb2c1928e2669f35055f917008" Subject: Re: [PHP-DEV] PHP 7.2.0 Released From: walterp@gmail.com (Walter Parker) --94eb2c1928e2669f35055f917008 Content-Type: text/plain; charset="UTF-8" On Mon, Dec 4, 2017 at 6:27 PM, lists@rhsoft.net wrote: > > > Am 05.12.2017 um 01:19 schrieb Walter Parker: > >> Oh, I see, this not about the actual change (the protocol version). This >> is about when using PHP on the client side, it does not support all/enough >> of the modern cipher suite list. >> >> Now that we have identified the problem in question, this should help you >> when you create your RFC to fix issues with the cipher suite list. >> >> FYI, the client and server send lists of ciphers that they support to >> each other, the server does an AND and picks the highest cipher in on the >> list. If the client sends only NULL, then NULL is the only valid cipher. >> OpenSSL has default list which includes weak ciphers (such as DES), so >> using the default list is bad idea >> > > this is not true at all and that's why you use tools like > https://www.ssllabs.com/ssltest/ and SSLHonorCipherOrder as serveradmin > for many years if you care about TLS at all > > also the default openssl cipherlist is not just random > > as you can see it prefers the ECDSA AES-GCM followed by the RSA AES-GCM > and after the ECDHE it continues with other GCM ciphers na dthe DES/CBC > stuff is at a place in the list which never is selected these days > > [harry@srv-rhsoft:~]$ openssl ciphers -v > ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) > Mac=AEAD > ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) > Mac=AEAD > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA > Enc=CHACHA20/POLY1305(256) Mac=AEAD > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA > Enc=CHACHA20/POLY1305(256) Mac=AEAD > ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) > Mac=AEAD > ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) > Mac=AEAD > ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) > Mac=AEAD > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) > Mac=AEAD > ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) > Mac=AEAD > ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) > Mac=AEAD > ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) > Mac=SHA384 > ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) > Mac=SHA384 > ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA > Enc=Camellia(256) Mac=SHA384 > ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) > Mac=SHA384 > > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) > Mac=SHA256 > ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) > Mac=SHA256 > ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA > Enc=Camellia(128) Mac=SHA256 > > ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) > Mac=SHA256 > > ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 > ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 > > ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 > ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 > ECDHE-ECDSA-DES-CBC3-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 > ECDHE-RSA-DES-CBC3-SHA TLSv1 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 > AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) > Mac=AEAD > AES256-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) > Mac=AEAD > AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) > Mac=AEAD > AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) > Mac=AEAD > AES128-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) > Mac=AEAD > AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) > Mac=AEAD > AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) > Mac=SHA256 > CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) > Mac=SHA256 > AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) > Mac=SHA256 > CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) > Mac=SHA256 > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 > CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) > Mac=SHA1 > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 > CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) > Mac=SHA1 > DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 > DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) > Mac=AEAD > DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) > Mac=AEAD > DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA > Enc=CHACHA20/POLY1305(256) Mac=AEAD > DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) > Mac=AEAD > DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) > Mac=AEAD > DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) > Mac=AEAD > DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) > Mac=AEAD > DHE-RSA-AES128-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) > Mac=AEAD > DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) > Mac=AEAD > DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) > Mac=SHA256 > DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) > Mac=SHA256 > DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) > Mac=SHA256 > DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(256) > Mac=SHA256 > DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) > Mac=SHA256 > DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) > Mac=SHA256 > DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) > Mac=SHA256 > DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(128) > Mac=SHA256 > DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 > DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 > DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) > Mac=SHA1 > DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) > Mac=SHA1 > DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 > DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 > DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) > Mac=SHA1 > DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) > Mac=SHA1 > DHE-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 > DHE-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 > PSK-AES256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) > Mac=AEAD > PSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK > Enc=CHACHA20/POLY1305(256) Mac=AEAD > PSK-AES256-CCM8 TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM8(256) > Mac=AEAD > PSK-AES256-CCM TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM(256) > Mac=AEAD > PSK-AES128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) > Mac=AEAD > PSK-AES128-CCM8 TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM8(128) > Mac=AEAD > PSK-AES128-CCM TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM(128) > Mac=AEAD > PSK-AES256-CBC-SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384 > PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 > PSK-CAMELLIA256-SHA384 TLSv1 Kx=PSK Au=PSK Enc=Camellia(256) > Mac=SHA384 > PSK-AES128-CBC-SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256 > PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 > PSK-CAMELLIA128-SHA256 TLSv1 Kx=PSK Au=PSK Enc=Camellia(128) > Mac=SHA256 > PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 > DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) > Mac=AEAD > DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK > Enc=CHACHA20/POLY1305(256) Mac=AEAD > DHE-PSK-AES256-CCM8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(256) > Mac=AEAD > DHE-PSK-AES256-CCM TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM(256) > Mac=AEAD > DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) > Mac=AEAD > DHE-PSK-AES128-CCM8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(128) > Mac=AEAD > DHE-PSK-AES128-CCM TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM(128) > Mac=AEAD > DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) > Mac=SHA384 > DHE-PSK-AES256-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1 > DHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=Camellia(256) > Mac=SHA384 > DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) > Mac=SHA256 > DHE-PSK-AES128-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1 > DHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=Camellia(128) > Mac=SHA256 > DHE-PSK-3DES-EDE-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=3DES(168) Mac=SHA1 > ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK > Enc=CHACHA20/POLY1305(256) Mac=AEAD > ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) > Mac=SHA384 > ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA1 > ECDHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=Camellia(256) > Mac=SHA384 > ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) > Mac=SHA256 > ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1 > ECDHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=Camellia(128) > Mac=SHA256 > ECDHE-PSK-3DES-EDE-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=3DES(168) Mac=SHA1 > > > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Your link doesn't say what you think it does. Your follow up comments also appear to have little relevance to the topic at hand. Could someone please let me know if Lists ever get back on topic with responses to the questions and statements made, rather than charging sideways off the field? Thanks! -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis --94eb2c1928e2669f35055f917008--