On Fri, Dec 1, 2017 at 11:52 AM, li...@rhsoft.net <li...@rhsoft.net> wrote: > yes and since nobody ever sould override the defaults in application code > for obvious reasons that's the problem, you shouldn't mangle with openssl > defaults in general and let openssl do the handshake which will end in the > server side perferred cipher and so in the most secure > > what PHP does is making encryption weaker as it hsould be > Um. Did you look at the diff in question?
The old default was tls 1.0 only, the new default is tls 1.0, 1.1, or 1.2. The new default allows OpenSSL to negotiate for a preferred method where it couldn't before. The change literally does the opposite of what you're talking about. -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
