Re: [PHP-DEV] PHP 7.2.0 Released

Tue, 05 Dec 2017 00:54:44 -0800 


Am 05.12.2017 um 06:52 schrieb Walter Parker:

On Mon, Dec 4, 2017 at 6:27 PM, li...@rhsoft.net 
<mailto:li...@rhsoft.net> <li...@rhsoft.net <mailto:li...@rhsoft.net>> 
wrote:


    Am 05.12.2017 um 01:19 schrieb Walter Parker:

        Oh, I see, this not about the actual change (the protocol
        version). This is about when using PHP on the client side, it
        does not support all/enough of the modern cipher suite list.

        Now that we have identified the problem in question, this should
        help you when you create your RFC to fix issues with the cipher
        suite list.

        FYI, the client and server send lists of ciphers that they
        support to each other, the server does an AND and picks the
        highest cipher in on the list. If the client sends only NULL,
        then NULL is the only valid cipher. OpenSSL has default list
        which includes weak ciphers (such as DES), so using the default
        list is bad idea

    this is not true at all and that's why you use tools like

    https://www.ssllabs.com/ssltest/ 
    and SSLHonorCipherOrder as serveradmin for many years if you care

    about TLS at all

    also the default openssl cipherlist is not just random

    as you can see it prefers the ECDSA AES-GCM followed by the RSA
    AES-GCM and after the ECDHE it continues with other GCM ciphers na
    dthe DES/CBC stuff is at a place in the list which never is selected
    these days

Your link doesn't say what you think it does


which one?
https://www.ssllabs.com/ssltest/


sorry, but if you don't know what ssllab does and how it is used by 
serveradmins to make sure clients using best possible encryption you are 
hardly in the position making comments like "OpenSSL has default list 
which includes weak ciphers (such as DES), so using the default list is 
bad idea" and instead abusive responses you could have entered the url 
of a TLS webserver



Your follow up comments 
also appear to have little relevance to the topic at hand.



correct and the reason is that i needed to give you some basic education 
how ciphers in the real world are negotiated



Could someone please let me know if Lists ever get back on topic with 
responses to the questions and statements made, rather than charging 
sideways off the field?

go and provocate someone else when you make clueless statements like 
"OpenSSL has default list which includes weak ciphers (such as DES), so 
using the default list is bad idea"


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
























					Reply via email to