[Pkg-openssl-devel] Bug#778747: Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Vincent Bernat
bernat at debian.org
Sat Feb 21 11:38:01 UTC 2015
❦ 21 février 2015 10:49 +0100, Kurt Roeckx <kurt at roeckx.be> :
>> > Please note that RC4 in the default configuration should never be
>> > negiotated by modern clients and servers. The problem is
>> > administrators who think they know better changed somethign not to
>> > use the defaults. If we adjust the defaults it's not going to fix
>> > anything.
>>
>> Many administrators don't use the defaults because the defaults are most
>> of the time inappropriate for a web server. At some time, RC4 was widely
>> advertised as the preferred cipher because it was immune to BEAST and
>> supported by all browsers from IE6.
>
> The defaults are good enough, as long as you don't really care
> about PFS because IE doesn't have those at the top of it's list.
> If you just change it to prefer the default server ordering you
> should already have a decent list, but it prefers AES256 over
> AES128 while there is no need for that.
PFS, performances and A+ note on Qualys SSL test. This may be a bit less
true today since most browsers are now supporting ECDHE ciphers but it
still holds, I think.
--
Must I hold a candle to my shames?
-- William Shakespeare, "The Merchant of Venice"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20150221/28159205/attachment.sig>
More information about the Pkg-openssl-devel
mailing list