[Pkg-openssl-devel] Bug#778747: Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

Kurt Roeckx kurt at roeckx.be
Sat Feb 21 09:49:21 UTC 2015


On Sat, Feb 21, 2015 at 08:52:59AM +0100, Vincent Bernat wrote:
>  ? 20 février 2015 22:50 +0100, Kurt Roeckx <kurt at roeckx.be> :
> 
> > Please note that RC4 in the default configuration should never be
> > negiotated by modern clients and servers.  The problem is
> > administrators who think they know better changed somethign not to
> > use the defaults.  If we adjust the defaults it's not going to fix
> > anything.
> 
> Many administrators don't use the defaults because the defaults are most
> of the time inappropriate for a web server. At some time, RC4 was widely
> advertised as the preferred cipher because it was immune to BEAST and
> supported by all browsers from IE6.

The defaults are good enough, as long as you don't really care
about PFS because IE doesn't have those at the top of it's list.
If you just change it to prefer the default server ordering you
should already have a decent list, but it prefers AES256 over
AES128 while there is no need for that.


Kurt



More information about the Pkg-openssl-devel mailing list