getcomposer.org icon indicating copy to clipboard operation
getcomposer.org copied to clipboard

Published 20 hours ago verified publisher icon composer

web/installer: Use modern TLS

Open jrchamp opened this issue 3 years ago • 1 comments

The allowed cipher list would benefit from some updates: https://github.com/composer/getcomposer.org/blob/4aac8c75b914312056feb5160060bdb4e3d71dc5/web/installer#L1367-L1409

Mozilla has a very good reference for this: https://wiki.mozilla.org/Security/Server_Side_TLS

If you come to do make changes, please also address the duplicate list in https://github.com/composer/composer/blob/346356a4dd62967f1b4df6a91a562a1cb9078cfc/src/Composer/Util/StreamContextFactory.php#L136

jrchamp avatar Mar 31 '21 21:03 jrchamp

Yeah IMO this isn't super critical as the installer only talks to getcomposer.org which is reasonably configured AFAIK, and prefers server ciphers.

On the Composer side, Composer 2 prefers curl anyway so it's not so relevant there either, but sure would be good to clean up the list a little, it is old for sure.

Seldaek avatar Mar 31 '21 21:03 Seldaek