Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71713 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84594 invoked from network); 29 Jan 2014 04:20:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jan 2014 04:20:52 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.213.170 mail-ig0-f170.google.com Received: from [209.85.213.170] ([209.85.213.170:61265] helo=mail-ig0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 61/80-14964-3A188E25 for ; Tue, 28 Jan 2014 23:20:52 -0500 Received: by mail-ig0-f170.google.com with SMTP id m12so16331141iga.1 for ; Tue, 28 Jan 2014 20:20:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=k41wmwXSZ1wzIndLYYTsYuQHuko0vRTxXaFqO/oJgF8=; b=QwO2reWynoAtnvgyIXqHMUYk+kSxYRm9GnLnpTJ7+g4NIL4qqVgMuBesfu+RY1ktKJ ZeJyRWD2MhltCx2vSNFL/IQ6XIGRbeYashOr5Yjokb8bwj/MMAq7oY9Ij1b5GklWcbxi 1fyDWEO79nWHPFjhnw/hxIVXegqGSIi6tjn95keB9VvTg42oZ2rdo4jvYLnUKwntbblM s89q3688jo7FtOcXmhZ/VmPGZ5sfPVB6IGSEgWLRa0ouPhGAc+V7BpjhQCGJ5Iou1fHT nrRhGxYJq62+h4LWlQ5dC+VRJFOBN82EoBt4KGaCJkz9EMJ2EzDw0ReunpGUIwT3WKyT 9PBw== MIME-Version: 1.0 X-Received: by 10.42.156.72 with SMTP id y8mr4210504icw.25.1390969249571; Tue, 28 Jan 2014 20:20:49 -0800 (PST) Received: by 10.50.29.140 with HTTP; Tue, 28 Jan 2014 20:20:49 -0800 (PST) In-Reply-To: References: Date: Tue, 28 Jan 2014 23:20:49 -0500 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=90e6ba2121f503a98c04f1144452 Subject: Re: [PHP-DEV] [RFC] Improved TLS Defaults From: rdlowrey@gmail.com (Daniel Lowrey) --90e6ba2121f503a98c04f1144452 Content-Type: text/plain; charset=ISO-8859-1 > I haven't read the RFC carefully yet, but it's great proposal! Thanks! > You probably reviewed this page already. > https://wiki.mozilla.org/Security/Server_Side_TLS > Yes I have! The cipher list proposed in the RFC was gathered from disparate research sources that did not include the Mozilla site. However you'll see that the excluded ciphers in the RFC actually match up directly with those in Mozilla's "Mandatory discards" section. Is your recommendation from OpenSSL project or else? > I couldn't find a page with quick search. > This is not surprising: the OpenSSL documentation is fairly outdated in most areas. However, I've made an effort to provide references for my reasoning with regard to the individual ciphers listed in the RFC. In response to your question, I've added more links (including references to the relevant Mozilla project page) and updated some of the relevant information in the RFC text. These changes are marked in the revision history at the top of the wiki page and I've incremented the RFC's version number from v0.1 to v0.2 to reflect the updates. @STRENGTH orders cipher as mozilla recommend? It seems this option is for > this and/or similar purpose. > The @STRENGTH element simply allows us to prefer algorithms with longer key lengths (e.g.256-bit ciphers preferred to 168-bit preferred to 128-bit). Because TLS clients will negotiate the cipher according to their preference order it's sensible to add this annotation. The exception to this rule is when a server specifies the "Honor Cipher Order" option (also proposed for addition as part of the RFC). For these cases the @STRENGTH specification still applies because as servers we still should prefer stronger ciphers by default. --90e6ba2121f503a98c04f1144452--