Giters

composer / getcomposer.org

getcomposer.org sources

Home Page:http://getcomposer.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

web/installer: Use modern TLS

jrchamp opened this issue · comments

commented

The allowed cipher list would benefit from some updates:

getcomposer.org/web/installer

Lines 1367 to 1409 in 4aac8c7

$ciphers = implode(':', array(
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'DHE-RSA-AES128-GCM-SHA256',
'DHE-DSS-AES128-GCM-SHA256',
'kEDH+AESGCM',
'ECDHE-RSA-AES128-SHA256',
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-RSA-AES128-SHA',
'ECDHE-ECDSA-AES128-SHA',
'ECDHE-RSA-AES256-SHA384',
'ECDHE-ECDSA-AES256-SHA384',
'ECDHE-RSA-AES256-SHA',
'ECDHE-ECDSA-AES256-SHA',
'DHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA',
'DHE-DSS-AES128-SHA256',
'DHE-RSA-AES256-SHA256',
'DHE-DSS-AES256-SHA',
'DHE-RSA-AES256-SHA',
'AES128-GCM-SHA256',
'AES256-GCM-SHA384',
'AES128-SHA256',
'AES256-SHA256',
'AES128-SHA',
'AES256-SHA',
'AES',
'CAMELLIA',
'DES-CBC3-SHA',
'!aNULL',
'!eNULL',
'!EXPORT',
'!DES',
'!RC4',
'!MD5',
'!PSK',
'!aECDH',
'!EDH-DSS-DES-CBC3-SHA',
'!EDH-RSA-DES-CBC3-SHA',
'!KRB5-DES-CBC3-SHA',
));

Mozilla has a very good reference for this: https://wiki.mozilla.org/Security/Server_Side_TLS

If you come to do make changes, please also address the duplicate list in https://github.com/composer/composer/blob/346356a4dd62967f1b4df6a91a562a1cb9078cfc/src/Composer/Util/StreamContextFactory.php#L136

commented

Yeah IMO this isn't super critical as the installer only talks to getcomposer.org which is reasonably configured AFAIK, and prefers server ciphers.

On the Composer side, Composer 2 prefers curl anyway so it's not so relevant there either, but sure would be good to clean up the list a little, it is old for sure.