Memorandum #15.

   As PHP7.0.3 was released, I updated to it the day before yesterday. Here is ChangeLog. My server OS is Windows7 HE SP1 x86, so I downloaded php-7.0.3-Win32-VC14-x86.zip.
   The new php.ini-production doesn’t have difference from 7.0.2’s except some comments. If you need more information about php.ini configuration, see ‘Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows’.

   I also updated to phpMyAdmin4.5.4.1. If you install phpMyAdmin at the first time, please see To create a Wamp-like Web Server in Windows7-#3 and phpMyAdmin Configuration storage.
   Beginning in January 2016, the phpMyAdmin release manager is Isaac Bennetch. If you have the old keyring, you need to update it for the file verification. See Verifying phpMyAdmin releases.

   Recently I’ve got stuck with SSL/TLS things since I read OpenSSL Security Advisory [28th Jan 2016]. The Advisory doesn’t include ‘Severity: Critical’. But I’ve used this opportunity to check up Cipher Suite of my Web server.
   Since enabling HTTP/2 on my server, I’ve use ‘AESGCM:HIGH:MEDIUM:!MD5:!RC4’. This gives these cipher suites and includes SSLv3 things as you see, of course, though I disabled SSLv3 on the server.
   I removed SSLv3 cipher suites and TLS ones that are on TLS 1.2 Cipher Suite Black List of the http2-spec page. See the list.
   After my work, I’ve got only these chiper suites.

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256

   But I left ECDHE-RSA-AES256-SHA in my configuration because I have visitors who use Android equal to or less than 4.3 according to the server log. Now my Cipher Suites on the ssl.conf is the following.

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA

   The command ‘openssl ciphers -v ~’ gives cipher suites list by OpenSSL names and TLS 1.2 Cipher Suite Black List gives them by the relevant specification names. If you don’t know about them well, see TLS v1.2 cipher suites. You can find a comparison table there.

   By the way, one of my Japanese blog visitors, くりくりさん, wrote about OCSP Stapling on his blog(Japanese). I’ve used OCSP Stapling since Moving my WordPress to HTTPS for supporting HTTP/2-#1. So, I’ll upload the result of my test, like this. If the handshakes end in a success, the head is same regardless of TLS versions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.