Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:77473
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71721 invoked from network); 22 Sep 2014 16:07:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Sep 2014 16:07:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.182 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.223.182 mail-ie0-f182.google.com  
Received: from [209.85.223.182] ([209.85.223.182:64209] helo=mail-ie0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 98/81-64052-23940245 for <internals@lists.php.net>; Mon, 22 Sep 2014 12:07:14 -0400
Received: by mail-ie0-f182.google.com with SMTP id tp5so2372469ieb.41
        for <internals@lists.php.net>; Mon, 22 Sep 2014 09:07:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:date:message-id:subject:from:to:content-type;
        bh=IX7ZyzHP2Ex/LX+/Z1C3052HHlWHrcHbgiLwoUxe1jU=;
        b=XdYrvvc7ATatlNLwDxHou2/HNoHn201I2Yi/RmDm+fSzhPCshTuUfTkKJTkcXSoQ5s
         YA3xlw3nfbA79LXSnio5YnujElpB2Agb0oqA++5jkVbq3jD14aCu1Kha3qDsh+0qJiVH
         4cEY7PTNbtpuKlEiQaPiyvARQJo1GmRgzaMZV/gk2roN3WJfb9admqURKCVBVMncF+Eh
         K20xV2kBN2z800raYLlX7pH+mjGQebCqzLa5K6jDKjZIpVAcQmae8xIVPUS9UWGbM4/R
         plnPlXE5xjyCcvzUUFyGVCR4Wz4JWislQ0Ll+W32k5P6aGm4CL6Vi8SwW7lUYoA33ox9
         em3w==
MIME-Version: 1.0
X-Received: by 10.50.164.167 with SMTP id yr7mr15344664igb.37.1411402031660;
 Mon, 22 Sep 2014 09:07:11 -0700 (PDT)
Sender: rdlowrey@gmail.com
Received: by 10.50.197.164 with HTTP; Mon, 22 Sep 2014 09:07:11 -0700 (PDT)
Date: Mon, 22 Sep 2014 12:07:11 -0400
X-Google-Sender-Auth: A8Qv2EJUyfz2avrNbz19Wefwy9Y
Message-ID: <CAH8MpnkRcwhg5fC-Q6iSuJH=KrwzBm9vVqL7TLtpYajUJVoeAA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0122a7fcbb9f030503a9a412
Subject: Re: PHP 5.6 and default cipher list in OpenSSL
From: rdlowrey@php.net (Daniel Lowrey)

--089e0122a7fcbb9f030503a9a412
Content-Type: text/plain; charset=UTF-8

> Hi,
>
> Sorry to have not detect this problem at RFC time, but the new hardcoded
> cipher list, cause some trouble in Fedora.
>
> See: https://bugs.php.net/68074
> http://fedoraproject.org/wiki/Changes/CryptoPolicy
> https://fedoraproject.org/wiki/User:Nmav/CryptoPolicies
> https://wiki.php.net/rfc/improved-tls-defaults#default_ciphers
>
> And the simple patch
>
https://bugs.php.net/patch-display.php?bug_id=68074&patch=system-ciphers.patch&revision=latest
>
> If no objection, plan to apply this quite soon in 5.6+

This is sensible to me. It gives distros the ability to fine-tune crypto
ciphers in accordance with their own policies and legal requirements. This
has been an issue for RHEL at least in the past with regard to elliptic
curve ciphers. Adding the compile directive would protect users by default
with the new ciphers without causing problems for those adhering to
specific organization/institutional requirements.

--089e0122a7fcbb9f030503a9a412--