Am 04.12.2017 um 22:53 schrieb Walter Parker:
On Mon, Dec 4, 2017 at 1:43 PM, Niklas Keller <m...@kelunik.com> wrote:
and to be clear here:
a client when connecting to a server configured like below has to respect
the cipher order of the server while
https://www.ssllabs.com/ssltest/ exists for years to give dministrators
of the server some help and which clients are using which cipher
Just minor nitpicking to get the facts right: A client does never respect
the used cipher order of the server. A client offers a number of ciphers
and the server chooses one of those, either based on its own order
(preferred) or based on the client-preferred order.
If you know other programs doing it better, research how they do it and
propose a change to PHP please.
accepted, so PHP did only send a subset of the from openssl supported
ciphers to the server not containing the modern ones
That's good news. Given that openssl 1.1.0 only shipped late last year, I
fail to see how this has been an failure in PHP for many years for not
using a recent feature in openssl.
Looking at the sources for ab.c, it appears to do things like PHP. The
protocol level is hard coded to one value (SSL_METHOD
*SSLv23_method(void);)
There is a command line override (-Z protocol) that allows the protocol
selection to be changed to TLS1, TLS1.1, TLS1.2, or TLS1+TLS1.1+TLS1.2.
Lists, could you please clarify what PHP should learn from how ab does TLS?
as you can see in the ssllabs tests openssl 1.0.1 shipped years ago was
able to use ECDHE/ECDSA with AES-GCM which is the recommended cipher,
PHP until recent was only able to use "DHE-RSA-AES128-SHA", the first
part is slow and the second part SHA1 is deprecated long ago for TLS
PHP 7.1 even with openssl 1.1.x against MariaDB 10.2: ECDHE-RSA-AES128-SHA
PHP 7.2 on the same environment: ECDHE-RSA-AES128-GCM-SHA256
this was and is technically supported by openssl 1.0.x
ssl-cipher =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"
if you restrict mysqld to "ssl-cipher = ECDHE-RSA-AES128-GCM-SHA256"
nothing before PHP 7.2.0 is able to connect at all
at the same time "ab" which is a small 50 KB binary supports ECDHE and
AES-GCM ciphers for years and is also using openssl - it pretty sure
gives a NULL as cipher to openssl which means openssl sends all it's
supported ciphers to the server and the server then prefers the best one
from his ordering due the handshake
finally that means without touching the code around openssl from the
moment on the openssl on the client side and the server supports and
perefers a new cipher it will get used without touch "ab" and my
question is why PHP is here completly differnt
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
