Am 05.12.2017 um 17:45 schrieb Walter Parker:
Lists, I give you the same advice. I know and use SSL Labs, I been a
subscriber to Ivan's mailing list for years. Older versions of Openssl
had a default list of +ALL, -aNULL, -eNULL as the default list of
ciphers
yes
Before DES was removed in the new versions of openssl, that
means the list included things like DES and RC4
don't matter because no somehow recent client would have negotiated
DES/RC4 with a config like below even if the SSLCipherSuite would
contain RC4/DES at the end of the list
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA
That is why server
admins always spelled out long lists of ciphers, to guarantee that weak
ciphers would not appear on older installs. I found this information by
reading the code bases themselves, where did you find your information?
frankly you are saying exactly the same as i did
the point is that for nearly a deacde servers take care of negotiated
ciphers and when tomorrow one of them like AES-CBC with several
vulerabilities in the past years becomes problematic like you even was
advised to prefer RC4 instead block-ciphers for the timewinodow of a
large amount unfixed clients you can as serveradmin migitate the problem
but only if the client is not PHP which thinks to outsmart client
openssl as well as servers configuration
this also makes initiatives like
https://fedoraproject.org/wiki/Changes/CryptoPolicy useless and
everything reacts faster than wait for the next PHP point release!
I'm done with you. You don't understand and worse you don't want to
understand but think you understand. You just admitted to that. Please
stop until you get proper training as someone else on this list might
make the same mistakes that you are
yes, please stop to repsond to any of my mails, especially stop offlist
mails
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
