Comment 11 for bug 1446633

Hey Ralf,

Thanks for the clarification.

I got looking at the differences in the Fedora spec file and ours. For the most part they are very similar, as we use theirs as a starting point. They use a new compile option, '--with-system-ciphers'. Here is the change log entry:

* Fri Oct 03 2014 Remi Collet <email address hidden> 5.6.1-1
- Update to PHP 5.6.1
  http://php.net/releases/5_6_1.php
- use default system cipher list by Fedora policy
  http://fedoraproject.org/wiki/Changes/CryptoPolicy

If I blacklist the cipher (RC4-SHA) used for imap.ikmj.com within/etc/crypto-policies/back-ends/openssl.config, I get the following:

$ time php ssl_test.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
2 LOGOUT

real 0m30.900s
user 0m0.031s
sys 0m0.023s

Return the configuration back to stock, I get the following:

$ time php ssl_test.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
2 LOGOUT

real 0m0.996s
user 0m0.031s
sys 0m0.017s

So I am wondering if the cipher is to blame for our packages. Seeing that the crypto-policies package is not in RHEL yet, I don't think using the '--with-system-ciphers' option is a good idea. If the '--with-system-ciphers' is not used, a hard coded list will be used. The IUS packages do not change that list and I would be hesitant to make changes to it.

Are you talking with the devs on a mailing list?