Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101249 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64198 invoked from network); 5 Dec 2017 16:45:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Dec 2017 16:45:05 -0000 Authentication-Results: pb1.pair.com smtp.mail=walterp@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=walterp@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.180 as permitted sender) X-PHP-List-Original-Sender: walterp@gmail.com X-Host-Fingerprint: 209.85.216.180 mail-qt0-f180.google.com Received: from [209.85.216.180] ([209.85.216.180:43644] helo=mail-qt0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A1/58-11458-F0DC62A5 for ; Tue, 05 Dec 2017 11:45:03 -0500 Received: by mail-qt0-f180.google.com with SMTP id w10so2188836qtb.10 for ; Tue, 05 Dec 2017 08:45:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hb4kpBOacRon+2x1luGeyieEwCGJARj9YLBMjCsBkjE=; b=KlK+ELp5ayDd9RpBxzzHByfnRPQOvpuig2hjqHSHBXtk49d/xI2xNV/OP+gn0kUDxo pNO/9t1+zsQVnjCjFWfbO1Acqr0yyftqZLezQDeQ7uoqK3VpFHN9h84HJwicdIdjlfAR z4YRa1+9l0a40FMb9bb2labTl131eeLsDi/nAju0OOGUfTVNH61Y1cfc+0jLAPM1eanZ Qe6GDRTy22Lob/MZq+UpkNyA0H78E4CfDdhKqpm3f43grjLZUrhtcncAXS7YAf8kVlb0 wUZpFWcEzMFGmi6uewEE3BCN1XGGV88qaV1EDRuSSSNDPA5mZv3+jasefhcdy/MwcC7R FW2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hb4kpBOacRon+2x1luGeyieEwCGJARj9YLBMjCsBkjE=; b=ksXIG7kNsX4McijVm1Fo2RQgAgnqaAefXyftA0lIC+Hqv6tmr+YrSEawdkksDqfXH7 9ib92d+z7+ut4WWl90MpCDKT5JJXM5yy75f/AwRMfmR+lgJ+VKYt54g18QykU3QPt3pP Km+HsP3jnJ9ucGgS8uzjaO3bh9tLh4TgiG9RkN3618LWXGaqZKz1RkuumzwPGdIvqMhI 7V4lxmcUqSXs3wQLb7TzUOT3UHKU3OMYtUx5HrlFORStiU38MfBH8nZuh3/W78V+Qnxs FIj2sJTWulUPxzfwMf7wZpipRlPiy0shUIJcIrz4j6rWVNvAIex3fDAao6eAzKRcjWsw zhCw== X-Gm-Message-State: AKGB3mKspPRqR7dnTZzDXnw7jbACMVQfQwwr9h52n6D8nMEOQb/tYW2q Q6kLuTzSZ6S+cxN6e7ptdc+ZB4+mb55bR3elobY= X-Google-Smtp-Source: AGs4zMajbNySzrpi1tga8+nF1NUGP/yQdb6318phpK4cScobtbAlyI4gORO6/4PnljUKj7RjEQdV+qHe6U7cPRhQ32I= X-Received: by 10.55.79.22 with SMTP id d22mr23407451qkb.247.1512492301068; Tue, 05 Dec 2017 08:45:01 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.154.68 with HTTP; Tue, 5 Dec 2017 08:45:00 -0800 (PST) In-Reply-To: <02bbe666-d741-9bf0-3f01-760e15eadf11@rhsoft.net> References: <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net> <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net> <35e8f8c5-8fe0-702b-f304-890cf902b390@rhsoft.net> <10a39b35-57e2-d6c4-ea3a-75b47d8df514@rhsoft.net> <465bb952-7272-59fd-2232-10b41cd5efaf@rhsoft.net> <02bbe666-d741-9bf0-3f01-760e15eadf11@rhsoft.net> Date: Tue, 5 Dec 2017 08:45:00 -0800 Message-ID: To: "lists@rhsoft.net" Cc: PHP Internals Content-Type: multipart/alternative; boundary="001a114a7bfa54af45055f9a8e30" Subject: Re: [PHP-DEV] PHP 7.2.0 Released From: walterp@gmail.com (Walter Parker) --001a114a7bfa54af45055f9a8e30 Content-Type: text/plain; charset="UTF-8" On Tue, Dec 5, 2017 at 12:54 AM, lists@rhsoft.net wrote: > > > Am 05.12.2017 um 06:52 schrieb Walter Parker: > >> On Mon, Dec 4, 2017 at 6:27 PM, lists@rhsoft.net >> > wrote: >> >> Am 05.12.2017 um 01:19 schrieb Walter Parker: >> >> Oh, I see, this not about the actual change (the protocol >> version). This is about when using PHP on the client side, it >> does not support all/enough of the modern cipher suite list. >> >> Now that we have identified the problem in question, this should >> help you when you create your RFC to fix issues with the cipher >> suite list. >> >> FYI, the client and server send lists of ciphers that they >> support to each other, the server does an AND and picks the >> highest cipher in on the list. If the client sends only NULL, >> then NULL is the only valid cipher. OpenSSL has default list >> which includes weak ciphers (such as DES), so using the default >> list is bad idea >> >> this is not true at all and that's why you use tools like >> https://www.ssllabs.com/ssltest/ and SSLHonorCipherOrder as >> serveradmin for many years if you care >> about TLS at all >> >> also the default openssl cipherlist is not just random >> >> as you can see it prefers the ECDSA AES-GCM followed by the RSA >> AES-GCM and after the ECDHE it continues with other GCM ciphers na >> dthe DES/CBC stuff is at a place in the list which never is selected >> these days >> >> Your link doesn't say what you think it does >> > > which one? > https://www.ssllabs.com/ssltest/ > > sorry, but if you don't know what ssllab does and how it is used by > serveradmins to make sure clients using best possible encryption you are > hardly in the position making comments like "OpenSSL has default list which > includes weak ciphers (such as DES), so using the default list is bad idea" > and instead abusive responses you could have entered the url of a TLS > webserver > > Your follow up comments also appear to have little relevance to the topic >> at hand. >> > > correct and the reason is that i needed to give you some basic education > how ciphers in the real world are negotiated > > Could someone please let me know if Lists ever get back on topic with >> responses to the questions and statements made, rather than charging >> sideways off the field? >> > go and provocate someone else when you make clueless statements like > "OpenSSL has default list which includes weak ciphers (such as DES), so > using the default list is bad idea" > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Lists, I give you the same advice. I know and use SSL Labs, I been a subscriber to Ivan's mailing list for years. Older versions of Openssl had a default list of +ALL, -aNULL, -eNULL as the default list of ciphers. Before DES was removed in the new versions of openssl, that means the list included things like DES and RC4. That is why server admins always spelled out long lists of ciphers, to guarantee that weak ciphers would not appear on older installs. I found this information by reading the code bases themselves, where did you find your information? I'm done with you. You don't understand and worse you don't want to understand but think you understand. You just admitted to that. Please stop until you get proper training as someone else on this list might make the same mistakes that you are. -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis --001a114a7bfa54af45055f9a8e30--