On Mon, Dec 4, 2017 at 1:43 PM, Niklas Keller <m...@kelunik.com> wrote:
> > > > and to be clear here: > > > > a client when connecting to a server configured like below has to respect > > the cipher order of the server while > > https://www.ssllabs.com/ssltest/ exists for years to give dministrators > > of the server some help and which clients are using which cipher > > > > Just minor nitpicking to get the facts right: A client does never respect > the used cipher order of the server. A client offers a number of ciphers > and the server chooses one of those, either based on its own order > (preferred) or based on the client-preferred order. > > If you know other programs doing it better, research how they do it and > propose a change to PHP please. > > Regards, Niklas > That's good news. Given that openssl 1.1.0 only shipped late last year, I fail to see how this has been an failure in PHP for many years for not using a recent feature in openssl. Looking at the sources for ab.c, it appears to do things like PHP. The protocol level is hard coded to one value (SSL_METHOD *SSLv23_method(void);) There is a command line override (-Z protocol) that allows the protocol selection to be changed to TLS1, TLS1.1, TLS1.2, or TLS1+TLS1.1+TLS1.2. Lists, could you please clarify what PHP should learn from how ab does TLS? Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
