and to be clear here:
a client when connecting to a server configured like below has to
respect the cipher order of the server while
https://www.ssllabs.com/ssltest/ exists for years to give dministrators
of the server some help and which clients are using which cipher
[harry@srv-rhsoft:~]$ openssl s_client -connect localhost:443
-servername localhost
.............
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
________________________________________
Handshake Simulation for servers with ECDSA/RSA dual stack:
OpenSSL 1.0.1l R EC 256 (SHA256) TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
OpenSSL 1.0.2e R EC 256 (SHA256) TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
________________________________________
in case the server has only a RSA certificate:
OpenSSL 1.0.1l R RSA 2048 (SHA256) TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
OpenSSL 1.0.2e R RSA 2048 (SHA256) TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
________________________________________
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA
Am 04.12.2017 um 19:18 schrieb li...@rhsoft.net:
Am 04.12.2017 um 18:36 schrieb Sara Golemon:
On Fri, Dec 1, 2017 at 6:35 PM, li...@rhsoft.net <li...@rhsoft.net>
wrote:
the main question is why does PHP need to to *anything* here instead
hand
the TLS handshake completly over to openssl? in that case even PHP5
could
perfer TLS1.2 ciphers against a sevrer that orders them on top
without touch
any line of PHP's code
Because the SSL API in OpenSSL that PHP uses doesn't let you say:
"Just give me the best method you can"
There may be another SSL API that does, but that's more than just "set
the value to any and be done with it"
and how does other software like the apache benchmark tool "ab" this for
as long as i can think which is also linked against openssl?
[harry@srv-rhsoft:~]$ ab -c 1 -n 1 https://localhost/
This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient).....done
Server Software:
Server Hostname: localhost
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-ECDSA-AES128-GCM-SHA256,256,128
TLS Server Name: localhost
______________________
[harry@srv-rhsoft:~]$ ldd /usr/bin/ab
linux-vdso.so.1 (0x00007ffd015cc000)
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fb83e962000)
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fb83e4d7000)
libaprutil-1.so.0 => /lib64/libaprutil-1.so.0 (0x00007fb83ed96000)
libapr-1.so.0 => /lib64/libapr-1.so.0 (0x00007fb83ed5a000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb83e2b8000)
libm.so.6 => /lib64/libm.so.6 (0x00007fb83dfa2000)
libc.so.6 => /lib64/libc.so.6 (0x00007fb83dbcd000)
libz.so.1 => /lib64/libz.so.1 (0x00007fb83d9b6000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fb83d7b2000)
libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fb83d5ad000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fb83d377000)
libexpat.so.1 => /lib64/libexpat.so.1 (0x00007fb83d144000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb83ebce000)
libgomp.so.1 => /lib64/libgomp.so.1 (0x00007fb83cf15000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007fb83cd12000)
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
