Skip to content

website TLS 1.3 and more TLS 1.2 cipher suites #1194

Open
@MoritzLoewenstein

Description

Description

Currently, the (https://www.php.net) website supports the following TLS versions and ciphers:

TLS V1.2

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS V1.1

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS V1.0

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Reference: https://globalsign.ssllabs.com/analyze.html?d=www.php.net&s=45.112.84.18

Problem

Sadly, the http client in the zig programming language does not support any of these ciphers,
which is a separate issue, but it would be great to use newer ciphers and/or newer tls versions
on the php.net website. I could not find a repository with apache config files or similar,
but this change should be a relatively simple config change.

Proposed change

  • add the cipher suites and tls versions which are supported in the "intermediate" setting of the mozilla apache config generator to the current config
  • this will allow newer clients to connect while still supporting older cipher suites and TLS versions

Optional change

  • use preset "intermediate", replacing the current TLS and cipher suite configuration
  • this will reduce support for older cipher suites and disable TLS v1.0 and v1.1

Expected Benefit

  • by supporting modern cipher suites, clients with a reduced set of cipher suites can still connect to the website
  • by shutting down older cipher suites and disabling older TLS versions, the connections made will be more secure

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions