Am 01.12.2017 um 17:44 schrieb Niklas Keller:
li...@rhsoft.net <mailto:li...@rhsoft.net> <li...@rhsoft.net
<mailto:li...@rhsoft.net>> schrieb am Fr., 1. Dez. 2017, 17:13:
Am 30.11.2017 um 17:41 schrieb Hannes Magnusson:
>> - Improve TLS constants to sane values
>
> This worries me a lot. Last time someone thought it was a good
idea they
> introduced security vulnerability for all apps that used them.
that PHP now instead of ECDHE-RSA-AES128-SHA uses
ECDHE-RSA-AES128-GCM-SHA256 for TLS connections (and before 7.1 with
openssl 1.1 it was not able to use ECHDE at all) or that PHP don't let
the crypto library alone at all?
at least it got better with 7.2
We only changed the defaults in 7.2, it was possible to use the same
features before, except for the security level
yes and since nobody ever sould override the defaults in application
code for obvious reasons that's the problem, you shouldn't mangle with
openssl defaults in general and let openssl do the handshake which will
end in the server side perferred cipher and so in the most secure
what PHP does is making encryption weaker as it hsould be
above i talk about encrypted connection to mysqld
and *no* if our only cipher on the server is ECDHE-RSA-AES128-GCM-SHA256
anything before PHP 7.2 won't connect at all
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
