Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71705
Return-Path: <php@tutteli.ch>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59456 invoked from network); 28 Jan 2014 22:01:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Jan 2014 22:01:01 -0000
Authentication-Results: pb1.pair.com smtp.mail=php@tutteli.ch; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=php@tutteli.ch; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain tutteli.ch designates 80.74.154.78 as permitted sender)
X-PHP-List-Original-Sender: php@tutteli.ch
X-Host-Fingerprint: 80.74.154.78 ns73.kreativmedia.ch Linux 2.6
Received: from [80.74.154.78] ([80.74.154.78:58723] helo=hyperion.kreativmedia.ch)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B8/8B-01140-99828E25 for <internals@lists.php.net>; Tue, 28 Jan 2014 17:00:59 -0500
Received: (qmail 14446 invoked from network); 28 Jan 2014 23:00:55 +0100
Received: from heim-032-99.raab-heim.uni-linz.ac.at (HELO RoLaptop) (193.171.32.99)
  by ns73.kreativmedia.ch with (AES128-SHA encrypted) SMTP; 28 Jan 2014 23:00:54 +0100
To: "'Daniel Lowrey'" <rdlowrey@gmail.com>,
	<internals@lists.php.net>
References: <CAH8MpnngUXdq5=7F2p64hRoogp=31E2p5oaJMZVvKLTD1H_qUw@mail.gmail.com>
In-Reply-To: <CAH8MpnngUXdq5=7F2p64hRoogp=31E2p5oaJMZVvKLTD1H_qUw@mail.gmail.com>
Date: Tue, 28 Jan 2014 23:00:52 +0100
Message-ID: <006c01cf1c74$69f12870$3dd37950$@tutteli.ch>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIiu28oHnjD5Kh++/osXRKcmqU1bJnzcQlw
Content-Language: de-ch
Subject: RE: [PHP-DEV] [RFC] Improved TLS Defaults
From: php@tutteli.ch ("Robert Stoll")

Hey Daniel

> -----Original Message-----
> From: Daniel Lowrey [mailto:rdlowrey@gmail.com]
> Sent: Tuesday, January 28, 2014 10:51 PM
> To: internals@lists.php.net
> Subject: [PHP-DEV] [RFC] Improved TLS Defaults
> 
> Hello, internals!
> 
> I've created a new RFC to discuss improving default TLS encryption settings:
> 
> https://wiki.php.net/rfc/improved-tls-defaults
> 
> This RFC complements the previously accepted TLS Peer Verification RFC.
> 
> I've proposed these (relatively straight-forward) changes in RFC form
> because there does exist the potential for minimal BC breakage. I see this
> breakage as a good thing because it enhances security, however everyone may
> not share this view.
> 
> Thanks in advance for your participation.

I am not a security expert but I read (somewhere, don't ask me where please) that further ciphers should be excluded.
Maybe they are already covered in !LOW but just in case: 

!DES:!3DES:!EXP:!SRP:!PSK

Cheers,
Robert