2017-05-29 10:18 GMT+02:00 [email protected] <[email protected]>: > > > Am 29.05.2017 um 09:48 schrieb Niklas Keller: > >> Morning, >> >> I hereby open the vote on the "Improved SSL / TLS constants" RFC. >> >> This RFC proposes to change PHP's TLS constants to sane values. This >> change >> has been avoided by the previous RFC for PHP 5.6 due to BC reasons. This >> RFCs favors better security instead of backwards compatibility with >> version >> intolerant and out of date servers. >> >> You can find the full RFC here: >> https://wiki.php.net/rfc/improved-tls-constants >> > > Make tls:// default to TLSv1.0 + TLSv1.1 + TLSv1.2 > > this is nice for a limited timeframe but the wrong approach to begin with > - it is *not* the business of PHP at all until *explicit* requested from > the uselrand code to interfer with *anything* in context of the TLS > handshake > > it's the job of the underlying openssl library, how it is built and > shipped by the distribution becaus ethey you support implicit TLS1.3 and a > future TLS1.4, don't weaken things like https://fedoraproject.org/wiki > /Changes/CryptoPolicy and respect san econfigured servers which are > regulary checked with https://www.ssllabs.com/ssltest/
Unfortunately, the underlying OpenSSL library fails providing sane defaults. There are plans to switch to another mechanism supporting a `min_version` and `max_version` instead, but this is not a thing yet. Regards, Niklas
