Re: [PHP-DEV] PHP 7.2.0 Released

Deleted without reading... On Tue, Dec 5, 2017 at 9:09 AM, li...@rhsoft.net wrote: > > > Am 05.12.2017 um 17:45 schrieb Walter Parker: > >> Lists, I give you the same advice. I know and use SSL Labs, I been a >> subscriber to Ivan's mailing list for years. Older versions of Openssl had >> a defa

Re: [PHP-DEV] PHP 7.2.0 Released

Am 05.12.2017 um 17:45 schrieb Walter Parker: Lists, I give you the same advice. I know and use SSL Labs, I been a subscriber to Ivan's mailing list for years. Older versions of Openssl had a default list of +ALL, -aNULL, -eNULL as the default list of ciphers yes Before DES was removed in

Re: [PHP-DEV] PHP 7.2.0 Released

On Tue, Dec 5, 2017 at 12:54 AM, li...@rhsoft.net wrote: > > > Am 05.12.2017 um 06:52 schrieb Walter Parker: > >> On Mon, Dec 4, 2017 at 6:27 PM, li...@rhsoft.net >> mailto:li...@rhsoft.net>> wrote: >> >> Am 05.12.2017 um 01:19 schrieb Walter Parker: >> >> Oh

Re: [PHP-DEV] PHP 7.2.0 Released

Am 05.12.2017 um 06:52 schrieb Walter Parker: On Mon, Dec 4, 2017 at 6:27 PM, li...@rhsoft.net mailto:li...@rhsoft.net>> wrote: Am 05.12.2017 um 01:19 schrieb Walter Parker: Oh, I see, this not about the actual change (the protocol version). Thi

Re: [PHP-DEV] PHP 7.2.0 Released

On Mon, Dec 4, 2017 at 6:27 PM, li...@rhsoft.net wrote: > > > Am 05.12.2017 um 01:19 schrieb Walter Parker: > >> Oh, I see, this not about the actual change (the protocol version). This >> is about when using PHP on the client side, it does not support all/enough >> of the modern cipher suite lis

Re: [PHP-DEV] PHP 7.2.0 Released

Am 05.12.2017 um 01:19 schrieb Walter Parker: Oh, I see, this not about the actual change (the protocol version). This is about when using PHP on the client side, it does not support all/enough of the modern cipher suite list. Now that we have identified the problem in question, this should

Re: [PHP-DEV] PHP 7.2.0 Released

On Mon, Dec 4, 2017 at 2:21 PM, li...@rhsoft.net wrote: > > > Am 04.12.2017 um 22:53 schrieb Walter Parker: > >> On Mon, Dec 4, 2017 at 1:43 PM, Niklas Keller wrote: >> >>> and to be clear here: a client when connecting to a server configured like below has to respect the cip

Re: [PHP-DEV] PHP 7.2.0 Released

Am 04.12.2017 um 22:53 schrieb Walter Parker: On Mon, Dec 4, 2017 at 1:43 PM, Niklas Keller wrote: and to be clear here: a client when connecting to a server configured like below has to respect the cipher order of the server while https://www.ssllabs.com/ssltest/ exists for years to give dm

Re: [PHP-DEV] PHP 7.2.0 Released

On Mon, Dec 4, 2017 at 1:43 PM, Niklas Keller wrote: > > > > and to be clear here: > > > > a client when connecting to a server configured like below has to respect > > the cipher order of the server while > > https://www.ssllabs.com/ssltest/ exists for years to give dministrators > > of the serv

Re: [PHP-DEV] PHP 7.2.0 Released

> > and to be clear here: > > a client when connecting to a server configured like below has to respect > the cipher order of the server while > https://www.ssllabs.com/ssltest/ exists for years to give dministrators > of the server some help and which clients are using which cipher > Just minor n

Re: [PHP-DEV] PHP 7.2.0 Released

On Mon, Dec 4, 2017 at 5:36 PM, Sara Golemon wrote: > On Fri, Dec 1, 2017 at 6:35 PM, li...@rhsoft.net wrote: > > the main question is why does PHP need to to *anything* here instead hand > > the TLS handshake completly over to openssl? in that case even PHP5 could > > perfer TLS1.2 ciphers agai

Re: [PHP-DEV] PHP 7.2.0 Released

On Mon, Dec 4, 2017 at 1:18 PM, li...@rhsoft.net wrote: > Am 04.12.2017 um 18:36 schrieb Sara Golemon: >> On Fri, Dec 1, 2017 at 6:35 PM, li...@rhsoft.net wrote: >>> >>> the main question is why does PHP need to to *anything* here instead hand >>> the TLS handshake completly over to openssl? in t

Re: [PHP-DEV] PHP 7.2.0 Released

and to be clear here: a client when connecting to a server configured like below has to respect the cipher order of the server while https://www.ssllabs.com/ssltest/ exists for years to give dministrators of the server some help and which clients are using which cipher [harry@srv-rhsoft:~]$ o

Re: [PHP-DEV] PHP 7.2.0 Released

Am 04.12.2017 um 18:36 schrieb Sara Golemon: On Fri, Dec 1, 2017 at 6:35 PM, li...@rhsoft.net wrote: the main question is why does PHP need to to *anything* here instead hand the TLS handshake completly over to openssl? in that case even PHP5 could perfer TLS1.2 ciphers against a sevrer that

Re: [PHP-DEV] PHP 7.2.0 Released

On Fri, Dec 1, 2017 at 6:35 PM, li...@rhsoft.net wrote: > the main question is why does PHP need to to *anything* here instead hand > the TLS handshake completly over to openssl? in that case even PHP5 could > perfer TLS1.2 ciphers against a sevrer that orders them on top without touch > any line

Re: [PHP-DEV] PHP 7.2.0 Released

Am 02.12.2017 um 02:08 schrieb Walter Parker: Lists, I fail to see how Sara was wrong and you are right. In the old PHP, it was TLS 1.0 bad enough In the new PHP. it is TLS 1.2, TLS1.1, TLS1.3 you surely meant 1.0 instead 1.3 here When TLS1.3 comes out, old PHP will use only TLS1.0. <-

Re: [PHP-DEV] PHP 7.2.0 Released

On Fri, Dec 1, 2017 at 3:35 PM, li...@rhsoft.net wrote: > > > Am 01.12.2017 um 22:49 schrieb Sara Golemon: > >> On Fri, Dec 1, 2017 at 11:52 AM, li...@rhsoft.net >> wrote: >> >>> yes and since nobody ever sould override the defaults in application code >>> for obvious reasons that's the problem,

Re: [PHP-DEV] PHP 7.2.0 Released

Am 01.12.2017 um 22:49 schrieb Sara Golemon: On Fri, Dec 1, 2017 at 11:52 AM, li...@rhsoft.net wrote: yes and since nobody ever sould override the defaults in application code for obvious reasons that's the problem, you shouldn't mangle with openssl defaults in general and let openssl do the

Re: [PHP-DEV] PHP 7.2.0 Released

On Fri, Dec 1, 2017 at 11:52 AM, li...@rhsoft.net wrote: > yes and since nobody ever sould override the defaults in application code > for obvious reasons that's the problem, you shouldn't mangle with openssl > defaults in general and let openssl do the handshake which will end in the > server sid

Re: [PHP-DEV] PHP 7.2.0 Released

Am 01.12.2017 um 17:44 schrieb Niklas Keller: li...@rhsoft.net > schrieb am Fr., 1. Dez. 2017, 17:13: Am 30.11.2017 um 17:41 schrieb Hannes Magnusson: >> - Improve TLS constants to sane values > > This worries me a lot. La

Re: [PHP-DEV] PHP 7.2.0 Released

li...@rhsoft.net schrieb am Fr., 1. Dez. 2017, 17:13: > > > Am 30.11.2017 um 17:41 schrieb Hannes Magnusson: > >> - Improve TLS constants to sane values > > > > This worries me a lot. Last time someone thought it was a good idea they > > introduced security vulnerability for all apps that used th

Re: [PHP-DEV] PHP 7.2.0 Released

Am 30.11.2017 um 17:41 schrieb Hannes Magnusson: - Improve TLS constants to sane values This worries me a lot. Last time someone thought it was a good idea they introduced security vulnerability for all apps that used them. that PHP now instead of ECDHE-RSA-AES128-SHA uses ECDHE-RSA-AES128

Re: [PHP-DEV] PHP 7.2.0 Released

Le 30/11/2017 à 17:41, Hannes Magnusson a écrit : > Do you have a link to this commit ? Simply following the link from the release notes... https://wiki.php.net/rfc/improved-tls-constants Remi -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/

Re: [PHP-DEV] PHP 7.2.0 Released

> - Improve TLS constants to sane values This worries me a lot. Last time someone thought it was a good idea they introduced security vulnerability for all apps that used them. Do you have a link to this commit ? -Hannes

[PHP-DEV] PHP 7.2.0 Released

The PHP development team announces the immediate availability of PHP 7.2.0. This release marks the second feature update to the PHP 7 series. PHP 7.2.0 comes with numerous improvements and new features such as - Convert numeric keys in object/array casts - Counting of non-countable objects - Obje

[PHP-DEV] PHP 7.2.0 Released

The PHP development team announces the immediate availability of PHP 7.2.0. This release marks the second feature update to the PHP 7 series. PHP 7.2.0 comes with numerous improvements and new features such as - Convert numeric keys in object/array casts - Counting of non-countable objects - Obje