website TLS 1.3 and more TLS 1.2 cipher suites

[MoritzLoewenstein]

Description

Currently, the (https://www.php.net) website supports the following TLS versions and ciphers:

TLS V1.2

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS V1.1

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS V1.0

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Reference: https://globalsign.ssllabs.com/analyze.html?d=www.php.net&s=45.112.84.18

Problem

Sadly, the http client in the zig programming language does not support any of these ciphers,
which is a separate issue, but it would be great to use newer ciphers and/or newer tls versions
on the php.net website. I could not find a repository with apache config files or similar,
but this change should be a relatively simple config change.

Proposed change

• add the cipher suites and tls versions which are supported in the "intermediate" setting of the mozilla apache config generator to the current config
• this will allow newer clients to connect while still supporting older cipher suites and TLS versions

Optional change

• use preset "intermediate", replacing the current TLS and cipher suite configuration
• this will reduce support for older cipher suites and disable TLS v1.0 and v1.1

Expected Benefit

• by supporting modern cipher suites, clients with a reduced set of cipher suites can still connect to the website
• by shutting down older cipher suites and disabling older TLS versions, the connections made will be more secure

[cmb69]

Not the proper place to report this, but maybe @derickr can have a look?