web/installer: Use modern TLS
jrchamp opened this issue · comments
The allowed cipher list would benefit from some updates:
Lines 1367 to 1409 in 4aac8c7
Mozilla has a very good reference for this: https://wiki.mozilla.org/Security/Server_Side_TLS
If you come to do make changes, please also address the duplicate list in https://github.com/composer/composer/blob/346356a4dd62967f1b4df6a91a562a1cb9078cfc/src/Composer/Util/StreamContextFactory.php#L136
Yeah IMO this isn't super critical as the installer only talks to getcomposer.org which is reasonably configured AFAIK, and prefers server ciphers.
On the Composer side, Composer 2 prefers curl anyway so it's not so relevant there either, but sure would be good to clean up the list a little, it is old for sure.