Seldaek
commented
3 years ago Yeah IMO this isn't super critical as the installer only talks to getcomposer.org which is reasonably configured AFAIK, and prefers server ciphers.
On the Composer side, Composer 2 prefers curl anyway so it's not so relevant there either, but sure would be good to clean up the list a little, it is old for sure.
The allowed cipher list would benefit from some updates: https://github.com/composer/getcomposer.org/blob/4aac8c75b914312056feb5160060bdb4e3d71dc5/web/installer#L1367-L1409
Mozilla has a very good reference for this: https://wiki.mozilla.org/Security/Server_Side_TLS
If you come to do make changes, please also address the duplicate list in https://github.com/composer/composer/blob/346356a4dd62967f1b4df6a91a562a1cb9078cfc/src/Composer/Util/StreamContextFactory.php#L136