Re: Improved TLS Defaults

From:	Daniel Lowrey	Date:	Sun, 02 Feb 2014 17:37:54 +0000
Subject:	Re: Improved TLS Defaults
References:	1 2 3 4 5 6 7 8 9	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Sat, Feb 1, 2014 at 7:27 PM, Pádraic Brady wrote:

> it's clear that choosing a cipher suite is not an easy task.

I agree that choosing exactly the right cipher order is a difficult (and
not entirely objective) decision. Much like maintaining our own CA certs, I
think it's probably best to delegate such decisions to people who sit
around and think about them all day. I would prefer to re-use the current
Mozilla recommendation with the addition that RC4 suites are disabled and
will make this change to the RFC.

> it removes all ciphers below 128

This is a pretty standard demarcation line these days. I don't personally
have an issue with using 128-bit cipher key-lengths as the cut-off line.
Also, remember that users always have the option to specify their own
explicit cipher list should the need arise. I think that if 128-bit cipher
use is ubiquitous enough for mainstream browsers (where users would be
upset if they couldn't connect to their favorite sites) then it should be
fine as a (configurable) default PHP setting.

Cheers,

Daniel


   

Thread (19 messages)

• Daniel LowreyWed, 29 Jan 2014 16:01:15 +0000
  • Pádraic BradyWed, 29 Jan 2014 16:23:51 +0000
• Daniel LowreyWed, 29 Jan 2014 19:10:05 +0000Re: Improved TLS Defaults
  • Yasuo OhgakiWed, 29 Jan 2014 19:46:08 +0000Re: Re: Improved TLS Defaults
    • Daniel LowreyWed, 29 Jan 2014 19:54:27 +0000
  • Pádraic BradyThu, 30 Jan 2014 00:16:32 +0000Re: Re: Improved TLS Defaults
    • Daniel LowreyThu, 30 Jan 2014 03:15:09 +0000
      • Rouven WeßlingThu, 30 Jan 2014 17:11:54 +0000
        • Daniel LowreyThu, 30 Jan 2014 17:17:23 +0000
          • Yasuo OhgakiFri, 31 Jan 2014 21:47:50 +0000
            • Daniel LowreyFri, 31 Jan 2014 22:08:26 +0000
              • Daniel LowreySat, 01 Feb 2014 17:47:31 +0000
                • Pádraic BradySun, 02 Feb 2014 00:27:55 +0000
                  • Daniel LowreySun, 02 Feb 2014 17:37:54 +0000
• Rouven WeßlingThu, 30 Jan 2014 17:11:54 +0000Re: Improved TLS Defaults
  • Daniel LowreyThu, 30 Jan 2014 17:17:23 +0000
    • Yasuo OhgakiFri, 31 Jan 2014 21:47:50 +0000
      • Daniel LowreyFri, 31 Jan 2014 22:08:26 +0000
        • Daniel LowreySat, 01 Feb 2014 17:47:31 +0000
          • Pádraic BradySun, 02 Feb 2014 00:27:55 +0000
            • Daniel LowreySun, 02 Feb 2014 17:37:54 +0000
• Daniel LowreySun, 02 Feb 2014 17:43:04 +0000Re: Improved TLS Defaults
  • Pádraic BradySun, 02 Feb 2014 19:38:13 +0000Re: Re: Improved TLS Defaults
    • Yasuo OhgakiMon, 03 Feb 2014 01:58:33 +0000
      • Daniel LowreyMon, 03 Feb 2014 20:09:16 +0000
• Daniel LowreyFri, 07 Feb 2014 02:50:35 +0000Re: Improved TLS Defaults