Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99234
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55544 invoked from network); 29 May 2017 19:55:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2017 19:55:56 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.179 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.179 mail-yb0-f179.google.com  
Received: from [209.85.213.179] ([209.85.213.179:35584] helo=mail-yb0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 29/E5-34073-8CC7C295 for <internals@lists.php.net>; Mon, 29 May 2017 15:55:53 -0400
Received: by mail-yb0-f179.google.com with SMTP id r66so9967158yba.2
        for <internals@lists.php.net>; Mon, 29 May 2017 12:55:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=0E3IAcJXwU9uXDG17OyV2yrTvc7laC4faLln9luhAkg=;
        b=CVQml4rh1al4IumoDsHbR0j3HPnZiLok0JsPtaewQOElPiOFmhclffzgRp5dDtn9cC
         UV6+kCwK2KgR4puocFrLCCJPk/qH5L8dC07KeSWSHhLB8kZ04osGUlPNoHiJm7Ymu52y
         VoXRgWL0z4+FAI74vrMci5G0Sm9jRWIWjmWDnpUTlQAEOWXMrbwad3t9t1vCGOB0gy5C
         MMokR+9Z7upWgYmnf7/flFozCuo7OzedMfH3IiI8/XttThP5UppR7IJbdpMhf2ow1Jcn
         j7cv+eoOttr+JKNys/K150qtfHPvuKZgJJbxlYrwweVe8bhsQGQr7WQ64G96osaLxGxa
         KVcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=0E3IAcJXwU9uXDG17OyV2yrTvc7laC4faLln9luhAkg=;
        b=jmuveygFvS4ZwiqV1cfOfeMYnOtEVl+eXMMItWVpaUlSAtB0dG9S5PFvameILWvZYs
         xH6zwD7ZjEJEHz9OVTH0TSUO7Wb4Ay+xe/Dfhkk1ouUQRnAE7g7beAboFBKoRHGFZCFN
         bhTLo6BA/Fti3gVV5BIhyL+yqS/9EhXrfRuT9qhC64Mv+aH0keQgmfu9PcqBuVcFdipP
         /kP8nj6WQiiu09cy8Asue8ftU7S4Zlm+IXdxUtzI9yT+lWgB34gN8Xz+nX0vdXgaqW52
         TFO4udiT93K3e7wMkvUW1O1hLEZWA81eQkBhlK3KPp4s7yvgrq+jUmQ7yPPEXGw3h865
         vf5w==
X-Gm-Message-State: AODbwcDTl5z/Ivyr6gEW8aGhVL+RIkGlZ9TuLMkHwO1JZ+hs/fEPpXfF
	KR1wEUKhX1/GOgfFXo6mhEW7IKDbvA==
X-Received: by 10.37.212.20 with SMTP id m20mr12405981ybf.46.1496087750394;
 Mon, 29 May 2017 12:55:50 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.129.85.81 with HTTP; Mon, 29 May 2017 12:55:50 -0700 (PDT)
In-Reply-To: <66f219dc-abc3-b14c-71f8-570a4fc33c3f@rhsoft.net>
References: <CANUQDChAh6pQb4P5Rk_39rwGyYtyq9_aSC6BSdC+od0mU-ceFg@mail.gmail.com>
 <66f219dc-abc3-b14c-71f8-570a4fc33c3f@rhsoft.net>
Date: Mon, 29 May 2017 20:55:50 +0100
X-Google-Sender-Auth: 5Ix073hy0TMbHfBRo76kcNkeZyg
Message-ID: <CAEKnhAF-G1Eg-8iyapaNaU88pmU7KA-fA7-TOgDRS6CbFpQK_w@mail.gmail.com>
To: "lists@rhsoft.net" <lists@rhsoft.net>
Cc: PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="94eb2c07e27cea489f0550af12dc"
Subject: Re: [PHP-DEV] [RFC][VOTE] Improved SSL / TLS constants
From: bukka@php.net (Jakub Zelenka)

--94eb2c07e27cea489f0550af12dc
Content-Type: text/plain; charset="UTF-8"

On Mon, May 29, 2017 at 9:18 AM, lists@rhsoft.net <lists@rhsoft.net> wrote:

>
>
> Am 29.05.2017 um 09:48 schrieb Niklas Keller:
>
>> Morning,
>>
>> I hereby open the vote on the "Improved SSL / TLS constants" RFC.
>>
>> This RFC proposes to change PHP's TLS constants to sane values. This
>> change
>> has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This
>> RFCs favors better security instead of backwards compatibility with
>> version
>> intolerant and out of date servers.
>>
>> You can find the full RFC here:
>> https://wiki.php.net/rfc/improved-tls-constants
>>
>
> Make tls:// default to TLSv1.0 + TLSv1.1 + TLSv1.2
>
> this is nice for a limited timeframe but the wrong approach to begin with
> - it is *not* the business of PHP at all until *explicit* requested from
> the uselrand code to interfer with *anything* in context of the TLS
> handshake
>
> it's the job of the underlying openssl library, how it is built and
> shipped by the distribution becaus ethey you support implicit TLS1.3 and a
> future TLS1.4, don't weaken things like https://fedoraproject.org/wiki
> /Changes/CryptoPolicy and respect san econfigured servers which are
> regulary checked with https://www.ssllabs.com/ssltest/
>
>
Once the TLS 1.3 support is added, it will be in it as well. I think we
should stay away from setting specific protocols and go just for min and
max which is the way that OpenSSL is going though.

Cheers

Jakub

--94eb2c07e27cea489f0550af12dc--