Description
Description
Currently, the (https://www.php.net) website supports the following TLS versions and ciphers:
TLS V1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS V1.1
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS V1.0
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Reference: https://globalsign.ssllabs.com/analyze.html?d=www.php.net&s=45.112.84.18
Problem
Sadly, the http client in the zig programming language does not support any of these ciphers,
which is a separate issue, but it would be great to use newer ciphers and/or newer tls versions
on the php.net website. I could not find a repository with apache config files or similar,
but this change should be a relatively simple config change.
Proposed change
- add the cipher suites and tls versions which are supported in the "intermediate" setting of the mozilla apache config generator to the current config
- this will allow newer clients to connect while still supporting older cipher suites and TLS versions
Optional change
- use preset "intermediate", replacing the current TLS and cipher suite configuration
- this will reduce support for older cipher suites and disable TLS v1.0 and v1.1
Expected Benefit
- by supporting modern cipher suites, clients with a reduced set of cipher suites can still connect to the website
- by shutting down older cipher suites and disabling older TLS versions, the connections made will be more secure