Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99229 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27513 invoked from network); 29 May 2017 11:02:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2017 11:02:56 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.218 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.218 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.218] ([81.169.146.218:12393] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B2/83-34073-FDFFB295 for ; Mon, 29 May 2017 07:02:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1496055772; l=4160; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=wRSR4vQLcDHc7uP55zFtBDDnCvzL8kMBbGiSKp+ODY0=; b=KdzgQKS72QJK8OXIsB+ojuJsFALELLUZM+nEcvvZ3JOAgUrJ4x+IJsPlE4WkMoE66H hnmjhoGGCAOjGTwHOTY9u6A/dTj7WRkkszEsscOSO3oQdmWrg1eOSR0i6yklXooUfqt7 Fw/uyyZbTKh2PRXo9BqBlhUvupd1bWorg11EE= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqX+3Q== X-RZG-CLASS-ID: mo00 Received: by mail-oi0-f46.google.com with SMTP id w10so75191880oif.0 for ; Mon, 29 May 2017 04:02:52 -0700 (PDT) X-Gm-Message-State: AODbwcCt9y85b7jJNOdihCDFznrq0lbD+4yRcjQJ9YTrXv6kFYn5Qu8N sPnvjrV2gnM0zRHGuYhPGYKK7ZafOA== X-Received: by 10.157.48.83 with SMTP id w19mr7108421otd.4.1496055771874; Mon, 29 May 2017 04:02:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.176.133 with HTTP; Mon, 29 May 2017 04:02:51 -0700 (PDT) In-Reply-To: <66f219dc-abc3-b14c-71f8-570a4fc33c3f@rhsoft.net> References: <66f219dc-abc3-b14c-71f8-570a4fc33c3f@rhsoft.net> Date: Mon, 29 May 2017 13:02:51 +0200 X-Gmail-Original-Message-ID: Message-ID: To: "lists@rhsoft.net" Cc: PHP Internals Content-Type: multipart/alternative; boundary="001a11c1714ed8d0150550a7a0db" Subject: Re: [PHP-DEV] [RFC][VOTE] Improved SSL / TLS constants From: me@kelunik.com (Niklas Keller) --001a11c1714ed8d0150550a7a0db Content-Type: text/plain; charset="UTF-8" 2017-05-29 10:18 GMT+02:00 lists@rhsoft.net : > > > Am 29.05.2017 um 09:48 schrieb Niklas Keller: > >> Morning, >> >> I hereby open the vote on the "Improved SSL / TLS constants" RFC. >> >> This RFC proposes to change PHP's TLS constants to sane values. This >> change >> has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This >> RFCs favors better security instead of backwards compatibility with >> version >> intolerant and out of date servers. >> >> You can find the full RFC here: >> https://wiki.php.net/rfc/improved-tls-constants >> > > Make tls:// default to TLSv1.0 + TLSv1.1 + TLSv1.2 > > this is nice for a limited timeframe but the wrong approach to begin with > - it is *not* the business of PHP at all until *explicit* requested from > the uselrand code to interfer with *anything* in context of the TLS > handshake > > it's the job of the underlying openssl library, how it is built and > shipped by the distribution becaus ethey you support implicit TLS1.3 and a > future TLS1.4, don't weaken things like https://fedoraproject.org/wiki > /Changes/CryptoPolicy and respect san econfigured servers which are > regulary checked with https://www.ssllabs.com/ssltest/ Unfortunately, the underlying OpenSSL library fails providing sane defaults. There are plans to switch to another mechanism supporting a `min_version` and `max_version` instead, but this is not a thing yet. Regards, Niklas --001a11c1714ed8d0150550a7a0db--