I got looking at the differences in the Fedora spec file and ours. For the most part they are very similar, as we use theirs as a starting point. They use a new compile option, '--with-system-ciphers'. Here is the change log entry:
If I blacklist the cipher (RC4-SHA) used for imap.ikmj.com within/etc/crypto-policies/back-ends/openssl.config, I get the following:
$ time php ssl_test.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
2 LOGOUT
real 0m30.900s
user 0m0.031s
sys 0m0.023s
Return the configuration back to stock, I get the following:
$ time php ssl_test.php
Connected to ssl://imap.ikmj.com:993
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
2 LOGOUT
real 0m0.996s
user 0m0.031s
sys 0m0.017s
So I am wondering if the cipher is to blame for our packages. Seeing that the crypto-policies package is not in RHEL yet, I don't think using the '--with-system-ciphers' option is a good idea. If the '--with-system-ciphers' is not used, a hard coded list will be used. The IUS packages do not change that list and I would be hesitant to make changes to it.
Hey Ralf,
Thanks for the clarification.
I got looking at the differences in the Fedora spec file and ours. For the most part they are very similar, as we use theirs as a starting point. They use a new compile option, '--with- system- ciphers' . Here is the change log entry:
* Fri Oct 03 2014 Remi Collet <email address hidden> 5.6.1-1 php.net/ releases/ 5_6_1.php fedoraproject. org/wiki/ Changes/ CryptoPolicy
- Update to PHP 5.6.1
http://
- use default system cipher list by Fedora policy
http://
If I blacklist the cipher (RC4-SHA) used for imap.ikmj.com within/ etc/crypto- policies/ back-ends/ openssl. config, I get the following:
$ time php ssl_test.php ikmj.com: 993
Connected to ssl://imap.
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
2 LOGOUT
real 0m30.900s
user 0m0.031s
sys 0m0.023s
Return the configuration back to stock, I get the following:
$ time php ssl_test.php ikmj.com: 993
Connected to ssl://imap.
* OK ikmj-serwer.home.pl IdeaImapServer v0.80 ready
1 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ CHILDREN I18NLEVEL=1 IDLE SORT UIDPLUS UNSELECT XLIST AUTH=PLAIN AUTH=LOGIN
2 LOGOUT
real 0m0.996s
user 0m0.031s
sys 0m0.017s
So I am wondering if the cipher is to blame for our packages. Seeing that the crypto-policies package is not in RHEL yet, I don't think using the '--with- system- ciphers' option is a good idea. If the '--with- system- ciphers' is not used, a hard coded list will be used. The IUS packages do not change that list and I would be hesitant to make changes to it.
Are you talking with the devs on a mailing list?