Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72480 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37251 invoked from network); 11 Feb 2014 21:53:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Feb 2014 21:53:07 -0000 Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.181 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.223.181 mail-ie0-f181.google.com Received: from [209.85.223.181] ([209.85.223.181:59456] helo=mail-ie0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 90/CF-62230-2CB9AF25 for ; Tue, 11 Feb 2014 16:53:07 -0500 Received: by mail-ie0-f181.google.com with SMTP id to1so4669863ieb.26 for ; Tue, 11 Feb 2014 13:53:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=M6U8X7RnvmY2be9WalodDui7Cq/deZWx45JbQRI0oPs=; b=ThxjG4XgOTGdrkIFrBquKSlj5V6U1pubUtZcVbnTBLKVF0BjBpRGTybAS9ZCvJycBI ip3WgJRHvW2trYA20cVUcfhtlrXZUBajx7oSJ+uJkJZ7aVJ1WrVrFGlxIvE3U/3TuUM3 nDYuaKAq61wSnVOadnT2IlMtIlpKFcSdndqvAmOqnLQJ7KbCCCj7Ou1soDM+6qkpKvlo FSqL5vq11X58kBS2fju6V/tOVMPwKucp5O0aH4E2xoWP2fTIXIWhFD7GrrSW9HKNUYfK l/V50+n014ELPCsuarWTU1WTQYsvTWj0/8I5cK3ryw4G5GgiL//q2Y1d4xMWvPSqPGeH yKTQ== MIME-Version: 1.0 X-Received: by 10.50.239.131 with SMTP id vs3mr640820igc.34.1392155583337; Tue, 11 Feb 2014 13:53:03 -0800 (PST) Received: by 10.50.34.131 with HTTP; Tue, 11 Feb 2014 13:53:03 -0800 (PST) In-Reply-To: <52FA932D.5050504@sugarcrm.com> References: <52FA932D.5050504@sugarcrm.com> Date: Tue, 11 Feb 2014 16:53:03 -0500 Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1134db8604818304f2287bdf Subject: Re: [PHP-DEV] [VOTE] Improved TLS Defaults RFC From: rdlowrey@gmail.com (Daniel Lowrey) --001a1134db8604818304f2287bdf Content-Type: text/plain; charset=ISO-8859-1 On Tue, Feb 11, 2014 at 4:16 PM, Stas Malyshev wrote: > > Wouldn't it also be good to have a constant that has the > meaning of "every protocol you can possibly support (including TLS > protocols)"? > > This is a good point. For this reason it probably makes to either: 1. NOT re-purpose the two STREAM_CRYPTO_METHOD_SSLv23_* constants to mean SSLv2 or SSLv3 (retain the OpenSSL semantics of SSLv23) 2. Introduce two new constants, STREAM_CRYPTO_CLIENT and STREAM_CRYPTO_SERVER to mean "anything we can possibly support" I have a mild preference for #2 as it eliminates confusion that can arise if you don't have a firm grasp of what OpenSSL means by SSLv23 but am certainly willing to listen to the preponderance of opinion from others here. > - What is the motivation for verify_depth default of 3? RFC does not say > anything on it. > > I admit this one is a somewhat arbitrary limit (which explains the lack of explanation in the wiki text). OpenSSL will default to a limit of 9 if we don't specify one ourselves, so there's not really that much to be gained by using a default of 3. After considering this a bit more I think it best to eliminate the addition of a default value in this area altogether. I will update the RFC and patch accordingly. > - What is the use case for honor_cipher_order? If the client is "bad", > they won't use honor_cipher_order and thus this option doesn't add to > security. If the client is "well-behaved", they would use the correct > set of cyphers. Is this setting meant for PHP servers? Because the > example clearly uses client side. > Woops! This is a copy/paste error in my example. The honor_cipher_order only ever has meaning for servers. I will update the example on the wiki to reflect to correct (server) usage shortly. --001a1134db8604818304f2287bdf--