On Tue, Dec 5, 2017 at 12:54 AM, li...@rhsoft.net <li...@rhsoft.net> wrote:
> > > Am 05.12.2017 um 06:52 schrieb Walter Parker: > >> On Mon, Dec 4, 2017 at 6:27 PM, li...@rhsoft.net <mailto:li...@rhsoft.net> >> <li...@rhsoft.net <mailto:li...@rhsoft.net>> wrote: >> >> Am 05.12.2017 um 01:19 schrieb Walter Parker: >> >> Oh, I see, this not about the actual change (the protocol >> version). This is about when using PHP on the client side, it >> does not support all/enough of the modern cipher suite list. >> >> Now that we have identified the problem in question, this should >> help you when you create your RFC to fix issues with the cipher >> suite list. >> >> FYI, the client and server send lists of ciphers that they >> support to each other, the server does an AND and picks the >> highest cipher in on the list. If the client sends only NULL, >> then NULL is the only valid cipher. OpenSSL has default list >> which includes weak ciphers (such as DES), so using the default >> list is bad idea >> >> this is not true at all and that's why you use tools like >> https://www.ssllabs.com/ssltest/ and SSLHonorCipherOrder as >> serveradmin for many years if you care >> about TLS at all >> >> also the default openssl cipherlist is not just random >> >> as you can see it prefers the ECDSA AES-GCM followed by the RSA >> AES-GCM and after the ECDHE it continues with other GCM ciphers na >> dthe DES/CBC stuff is at a place in the list which never is selected >> these days >> >> Your link doesn't say what you think it does >> > > which one? > https://www.ssllabs.com/ssltest/ > > sorry, but if you don't know what ssllab does and how it is used by > serveradmins to make sure clients using best possible encryption you are > hardly in the position making comments like "OpenSSL has default list which > includes weak ciphers (such as DES), so using the default list is bad idea" > and instead abusive responses you could have entered the url of a TLS > webserver > > Your follow up comments also appear to have little relevance to the topic >> at hand. >> > > correct and the reason is that i needed to give you some basic education > how ciphers in the real world are negotiated > > Could someone please let me know if Lists ever get back on topic with >> responses to the questions and statements made, rather than charging >> sideways off the field? >> > go and provocate someone else when you make clueless statements like > "OpenSSL has default list which includes weak ciphers (such as DES), so > using the default list is bad idea" > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Lists, I give you the same advice. I know and use SSL Labs, I been a subscriber to Ivan's mailing list for years. Older versions of Openssl had a default list of +ALL, -aNULL, -eNULL as the default list of ciphers. Before DES was removed in the new versions of openssl, that means the list included things like DES and RC4. That is why server admins always spelled out long lists of ciphers, to guarantee that weak ciphers would not appear on older installs. I found this information by reading the code bases themselves, where did you find your information? I'm done with you. You don't understand and worse you don't want to understand but think you understand. You just admitted to that. Please stop until you get proper training as someone else on this list might make the same mistakes that you are. -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
