Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71706 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60913 invoked from network); 28 Jan 2014 22:05:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jan 2014 22:05:27 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.174 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.213.174 mail-ig0-f174.google.com Received: from [209.85.213.174] ([209.85.213.174:54286] helo=mail-ig0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7D/DB-01140-6A928E25 for ; Tue, 28 Jan 2014 17:05:26 -0500 Received: by mail-ig0-f174.google.com with SMTP id hl1so13345717igb.1 for ; Tue, 28 Jan 2014 14:05:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xWalaWpU/uINbRUWI7O2Q1+TIeHAuqg5fmd7uOslZSU=; b=eJmQu55/7ygHxu2/h0e7Indy+Yl2Mm0N8h8L2rfXIsF/Fd4S3GOHiL4n9XakbdmiYg 4CCP3lZtjeX3WP6dgaRbw/15gRPIbnHqCtSdVO2DyapO4c3SXu9EJvpMI0ZTM36YyJYi Popj+WkELJeF/dBt+F55nSjoMuLyA9bn73QoLovPUqKICU3lXAeprXNoXgN5rU+Nfs5C lir52ZyYCmi8RRuQcGV8x6S0st9Tq2uykoSyqVG5VaHUI8mUHctyG1H5KKo+7Tr3+B3B kNcJV9iuhxerEXmSuxHqE1DXjThI5huTKdpebIGPjtvb1cetjDF8gIXYZ9AajOu2FZuu iHtw== MIME-Version: 1.0 X-Received: by 10.50.239.131 with SMTP id vs3mr5258351igc.34.1390946723564; Tue, 28 Jan 2014 14:05:23 -0800 (PST) Received: by 10.50.29.140 with HTTP; Tue, 28 Jan 2014 14:05:23 -0800 (PST) In-Reply-To: <006c01cf1c74$69f12870$3dd37950$@tutteli.ch> References: <006c01cf1c74$69f12870$3dd37950$@tutteli.ch> Date: Tue, 28 Jan 2014 17:05:23 -0500 Message-ID: To: Robert Stoll Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1134db865c6a3504f10f058d Subject: Re: [PHP-DEV] [RFC] Improved TLS Defaults From: rdlowrey@gmail.com (Daniel Lowrey) --001a1134db865c6a3504f10f058d Content-Type: text/plain; charset=ISO-8859-1 Great! The default cipher list is really the main thing I want to flesh out during the discussion process. You also won't hear me claim to be an "expert" (whatever that entails). I think having the community as a whole decide what's right for PHP is the best course of action here. Any feedback on these points is appreciated (especially feedback that comes with concrete references). On Tue, Jan 28, 2014 at 5:00 PM, Robert Stoll wrote: > Hey Daniel > > > -----Original Message----- > > From: Daniel Lowrey [mailto:rdlowrey@gmail.com] > > Sent: Tuesday, January 28, 2014 10:51 PM > > To: internals@lists.php.net > > Subject: [PHP-DEV] [RFC] Improved TLS Defaults > > > > Hello, internals! > > > > I've created a new RFC to discuss improving default TLS encryption > settings: > > > > https://wiki.php.net/rfc/improved-tls-defaults > > > > This RFC complements the previously accepted TLS Peer Verification RFC. > > > > I've proposed these (relatively straight-forward) changes in RFC form > > because there does exist the potential for minimal BC breakage. I see > this > > breakage as a good thing because it enhances security, however everyone > may > > not share this view. > > > > Thanks in advance for your participation. > > I am not a security expert but I read (somewhere, don't ask me where > please) that further ciphers should be excluded. > Maybe they are already covered in !LOW but just in case: > > !DES:!3DES:!EXP:!SRP:!PSK > > Cheers, > Robert > > > --001a1134db865c6a3504f10f058d--