Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101250 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66528 invoked from network); 5 Dec 2017 17:09:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Dec 2017 17:09:48 -0000 Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: lists@rhsoft.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:62779] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 87/A8-11458-BD2D62A5 for ; Tue, 05 Dec 2017 12:09:48 -0500 Received: from srv-rhsoft.rhsoft.net (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3yrpBv09zNzXMN for ; Tue, 5 Dec 2017 18:09:42 +0100 (CET) To: PHP Internals References: <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net> <35e8f8c5-8fe0-702b-f304-890cf902b390@rhsoft.net> <10a39b35-57e2-d6c4-ea3a-75b47d8df514@rhsoft.net> <465bb952-7272-59fd-2232-10b41cd5efaf@rhsoft.net> <02bbe666-d741-9bf0-3f01-760e15eadf11@rhsoft.net> Message-ID: Date: Tue, 5 Dec 2017 18:09:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-CH Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP 7.2.0 Released From: lists@rhsoft.net ("lists@rhsoft.net") Am 05.12.2017 um 17:45 schrieb Walter Parker: > Lists, I give you the same advice. I know and use SSL Labs, I been a > subscriber to Ivan's mailing list for years. Older versions of Openssl > had a default list of +ALL, -aNULL, -eNULL as the default list of > ciphers yes > Before DES was removed in the new versions of openssl, that > means the list included things like DES and RC4 don't matter because no somehow recent client would have negotiated DES/RC4 with a config like below even if the SSLCipherSuite would contain RC4/DES at the end of the list SSLHonorCipherOrder On SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA > That is why server > admins always spelled out long lists of ciphers, to guarantee that weak > ciphers would not appear on older installs. I found this information by > reading the code bases themselves, where did you find your information? frankly you are saying exactly the same as i did the point is that for nearly a deacde servers take care of negotiated ciphers and when tomorrow one of them like AES-CBC with several vulerabilities in the past years becomes problematic like you even was advised to prefer RC4 instead block-ciphers for the timewinodow of a large amount unfixed clients you can as serveradmin migitate the problem but only if the client is not PHP which thinks to outsmart client openssl as well as servers configuration this also makes initiatives like https://fedoraproject.org/wiki/Changes/CryptoPolicy useless and everything reacts faster than wait for the next PHP point release! > I'm done with you. You don't understand and worse you don't want to > understand but think you understand. You just admitted to that. Please > stop until you get proper training as someone else on this list might > make the same mistakes that you are yes, please stop to repsond to any of my mails, especially stop offlist mails