Deleted without reading... On Tue, Dec 5, 2017 at 9:09 AM, li...@rhsoft.net <li...@rhsoft.net> wrote:
> > > Am 05.12.2017 um 17:45 schrieb Walter Parker: > >> Lists, I give you the same advice. I know and use SSL Labs, I been a >> subscriber to Ivan's mailing list for years. Older versions of Openssl had >> a default list of +ALL, -aNULL, -eNULL as the default list of ciphers >> > > yes > > Before DES was removed in the new versions of openssl, that means the list >> included things like DES and RC4 >> > > don't matter because no somehow recent client would have negotiated > DES/RC4 with a config like below even if the SSLCipherSuite would contain > RC4/DES at the end of the list > > SSLHonorCipherOrder On > SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDH > E-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE- > ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA- > AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA: > ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128- > GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256: > DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA: > AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA > > That is why server admins always spelled out long lists of ciphers, to >> guarantee that weak ciphers would not appear on older installs. I found >> this information by reading the code bases themselves, where did you find >> your information? >> > > frankly you are saying exactly the same as i did > > the point is that for nearly a deacde servers take care of negotiated > ciphers and when tomorrow one of them like AES-CBC with several > vulerabilities in the past years becomes problematic like you even was > advised to prefer RC4 instead block-ciphers for the timewinodow of a large > amount unfixed clients you can as serveradmin migitate the problem > > but only if the client is not PHP which thinks to outsmart client openssl > as well as servers configuration > > this also makes initiatives like https://fedoraproject.org/wiki > /Changes/CryptoPolicy useless and everything reacts faster than wait for > the next PHP point release! > > I'm done with you. You don't understand and worse you don't want to >> understand but think you understand. You just admitted to that. Please stop >> until you get proper training as someone else on this list might make the >> same mistakes that you are >> > yes, please stop to repsond to any of my mails, especially stop offlist > mails > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
