Am 02.12.2017 um 02:08 schrieb Walter Parker:
Lists, I fail to see how Sara was wrong and you are right. In the old PHP, it was TLS 1.0
bad enough
In the new PHP. it is TLS 1.2, TLS1.1, TLS1.3
you surely meant 1.0 instead 1.3 here
When TLS1.3 comes out, old PHP will use only TLS1.0. <- This doesn't work today for many sites
it should'nt have been used for *many* years
The new PHP will support TLS1.2, TLS 1.1, TLS 1.0 <- Still stronger that the older version (required for many sites today)
yeah, but why do i need PHP 7.2 for get such basics right which openssl and every other software on the system supports out-of-the-box for many years?
When the openssl version that comes out to support the IETF final release of TLS1.3 comes out in a few years, the openssl updates will be easier to apply to the newest code base.
and that's plain wrong - period
How many older PHP (5.X) systems will upgrade to (or even be able to upgrade) to the newest openssl library?
they could have been used TLS1.2 years before PHP 7.2 was even considered withgout that wrong design of how to hanlde TLS handshakes
As built right now, none of those would get TLS1.3 out of the box.
beause nobody learnt from the past mistakes
If you want the version selection moved completely to openssl, you should write an RFC for that.
that should have been common sense by doing the changes we are talking about
The current idea (where TLS1.3 is added to the list of defaults once the software is release) vs an undefined system where it is handled magically at a lower level doesn't appear to be more secure
surely, openssl's job is to handle encryption and handsahkes, PHP failed in this area proveable and has no bunsiness at all in that context
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
