On Mon, May 29, 2017 at 9:18 AM, li...@rhsoft.net <li...@rhsoft.net> wrote:
> > > Am 29.05.2017 um 09:48 schrieb Niklas Keller: > >> Morning, >> >> I hereby open the vote on the "Improved SSL / TLS constants" RFC. >> >> This RFC proposes to change PHP's TLS constants to sane values. This >> change >> has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This >> RFCs favors better security instead of backwards compatibility with >> version >> intolerant and out of date servers. >> >> You can find the full RFC here: >> https://wiki.php.net/rfc/improved-tls-constants >> > > Make tls:// default to TLSv1.0 + TLSv1.1 + TLSv1.2 > > this is nice for a limited timeframe but the wrong approach to begin with > - it is *not* the business of PHP at all until *explicit* requested from > the uselrand code to interfer with *anything* in context of the TLS > handshake > > it's the job of the underlying openssl library, how it is built and > shipped by the distribution becaus ethey you support implicit TLS1.3 and a > future TLS1.4, don't weaken things like https://fedoraproject.org/wiki > /Changes/CryptoPolicy and respect san econfigured servers which are > regulary checked with https://www.ssllabs.com/ssltest/ > > Once the TLS 1.3 support is added, it will be in it as well. I think we should stay away from setting specific protocols and go just for min and max which is the way that OpenSSL is going though. Cheers Jakub
