[Pkg-openssl-devel] Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Kurt Roeckx
kurt at roeckx.be
Thu Feb 19 20:06:01 UTC 2015
On Thu, Feb 19, 2015 at 10:38:14AM +0100, Florian Schlichting wrote:
> Package: openssl
> Version: 1.0.1e-2+deb7u14
> Severity: serious
> Tags: security
>
> Newly released RFC 7465 [0] describes RC4 as being "on the verge of
> becoming practically exploitable" and consequently mandates that both
> servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and
> indeed terminate the TLS handshake if RC4 ciphers are the only ones
> available.
>
> To protect our users and comply with adopted Internet standards, openssl
> in Debian should no longer include RC4 ciphers in the DEFAULT list of
> ciphers, neither in Jessie nor supported stable / oldstable releases.
I fully support that RFC. However I don't think it's a good idea
to remove it from DEFAULT in jessie. Reasons not to are:
- Many servers only support RC4 so clients still need to support
RC4 to be able to talk to them. Hopefully this RFC will change
that.
- In practice if the other side supports something other than RC4
it's likely that RC4 isn't used.
I would really like to drop RC4 on the server side but not yet at
the client side.
Kurt
More information about the Pkg-openssl-devel
mailing list