Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101241 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20456 invoked from network); 5 Dec 2017 08:54:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Dec 2017 08:54:23 -0000 Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: lists@rhsoft.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:29325] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0E/11-11458-DBE562A5 for ; Tue, 05 Dec 2017 03:54:22 -0500 Received: from srv-rhsoft.rhsoft.net (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3yrbCF4ZYZzXMT for ; Tue, 5 Dec 2017 09:54:17 +0100 (CET) To: PHP Internals References: <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net> <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net> <35e8f8c5-8fe0-702b-f304-890cf902b390@rhsoft.net> <10a39b35-57e2-d6c4-ea3a-75b47d8df514@rhsoft.net> <465bb952-7272-59fd-2232-10b41cd5efaf@rhsoft.net> Message-ID: <02bbe666-d741-9bf0-3f01-760e15eadf11@rhsoft.net> Date: Tue, 5 Dec 2017 09:54:17 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-CH Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP 7.2.0 Released From: lists@rhsoft.net ("lists@rhsoft.net") Am 05.12.2017 um 06:52 schrieb Walter Parker: > On Mon, Dec 4, 2017 at 6:27 PM, lists@rhsoft.net > > > wrote: > > Am 05.12.2017 um 01:19 schrieb Walter Parker: > > Oh, I see, this not about the actual change (the protocol > version). This is about when using PHP on the client side, it > does not support all/enough of the modern cipher suite list. > > Now that we have identified the problem in question, this should > help you when you create your RFC to fix issues with the cipher > suite list. > > FYI, the client and server send lists of ciphers that they > support to each other, the server does an AND and picks the > highest cipher in on the list. If the client sends only NULL, > then NULL is the only valid cipher. OpenSSL has default list > which includes weak ciphers (such as DES), so using the default > list is bad idea > > this is not true at all and that's why you use tools like > https://www.ssllabs.com/ssltest/ > and SSLHonorCipherOrder as serveradmin for many years if you care > about TLS at all > > also the default openssl cipherlist is not just random > > as you can see it prefers the ECDSA AES-GCM followed by the RSA > AES-GCM and after the ECDHE it continues with other GCM ciphers na > dthe DES/CBC stuff is at a place in the list which never is selected > these days > > Your link doesn't say what you think it does which one? https://www.ssllabs.com/ssltest/ sorry, but if you don't know what ssllab does and how it is used by serveradmins to make sure clients using best possible encryption you are hardly in the position making comments like "OpenSSL has default list which includes weak ciphers (such as DES), so using the default list is bad idea" and instead abusive responses you could have entered the url of a TLS webserver > Your follow up comments > also appear to have little relevance to the topic at hand. correct and the reason is that i needed to give you some basic education how ciphers in the real world are negotiated > Could someone please let me know if Lists ever get back on topic with > responses to the questions and statements made, rather than charging > sideways off the field? go and provocate someone else when you make clueless statements like "OpenSSL has default list which includes weak ciphers (such as DES), so using the default list is bad idea"