[Pkg-openssl-devel] Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Kurt Roeckx
kurt at roeckx.be
Fri Feb 20 17:25:44 UTC 2015
On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote:
> Hi Kurt,
>
> > > To protect our users and comply with adopted Internet standards, openssl
> > > in Debian should no longer include RC4 ciphers in the DEFAULT list of
> > > ciphers, neither in Jessie nor supported stable / oldstable releases.
> >
> > I fully support that RFC. However I don't think it's a good idea
> > to remove it from DEFAULT in jessie. Reasons not to are:
> > - Many servers only support RC4 so clients still need to support
> > RC4 to be able to talk to them. Hopefully this RFC will change
> > that.
>
> What servers, and what clients are we talking about here?
You might want to look at those stats:
https://lists.fedoraproject.org/pipermail/security/2015-February/002069.html
Kurt
More information about the Pkg-openssl-devel
mailing list