[Pkg-openssl-devel] Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

Florian Schlichting fsfs at debian.org
Fri Feb 20 17:10:59 UTC 2015 

Hi Kurt,

> > To protect our users and comply with adopted Internet standards, openssl
> > in Debian should no longer include RC4 ciphers in the DEFAULT list of
> > ciphers, neither in Jessie nor supported stable / oldstable releases.
> 
> I fully support that RFC.  However I don't think it's a good idea
> to remove it from DEFAULT in jessie.  Reasons not to are:
> - Many servers only support RC4 so clients still need to support
>   RC4 to be able to talk to them.  Hopefully this RFC will change
>   that.

What servers, and what clients are we talking about here? From reading
the Chromium [0] and Firefox [1] bugs about this, I understand that
payment processors in the US have a problem disabling RC4 on older
setups while maintaining PCI compliance. SSL Pulse [2] counts around
1.5% of web sites surveyed that only support RC4. So major browsers like
Iceweasel and Chromium may want to keep RC4 around as an option for
those who need it (there's talk about a whitelist in [0]).

[0] https://code.google.com/p/chromium/issues/detail?id=375342
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=999544
[2] https://www.trustworthyinternet.org/ssl-pulse/

However everybody else should get rid of RC4 now, not just on the server
but also on the client side - and I'm particularly thinking of all the
applications that use TLS beyond the web. It is a lot easier to remove
RC4 ciphers from the DEFAULT list in openssl and to add it back in the
very few web browsers that need it (and I'm not sure there are any at
all that use openssl in Debian and rely on the DEFAULT), than to change
the hundreds of other applications in Debian that use openssl to require
"DEFAULT:!RC4".

> - In practice if the other side supports something other than RC4
>   it's likely that RC4 isn't used.

Looking at SSL Pulse [2] again, 23.3% of sites will negotiate an
RC4-based cipher with modern browsers, that's roughly a third of those
having some RC4 suites enabled. Not all that unlikely, I'd say, and a
reason why Google and Mozilla consider moving forward on the client
side.


I think disabling RC4 in the default list of suites in openssl and
similar libraries like gnutls and libnss is the right thing to do, and I
think it should be done now, unless we have a clear idea about what if
anything this breaks and will need to be fixed beforehand.

Florian

More information about the Pkg-openssl-devel mailing list