[Pkg-openssl-devel] Bug#778747: Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Vincent Bernat
bernat at debian.org
Sat Feb 21 16:27:42 UTC 2015
❦ 21 février 2015 13:29 +0100, Kurt Roeckx <kurt at roeckx.be> :
>> > The defaults are good enough, as long as you don't really care
>> > about PFS because IE doesn't have those at the top of it's list.
>> > If you just change it to prefer the default server ordering you
>> > should already have a decent list, but it prefers AES256 over
>> > AES128 while there is no need for that.
>>
>> PFS, performances and A+ note on Qualys SSL test. This may be a bit less
>> true today since most browsers are now supporting ECDHE ciphers but it
>> still holds, I think.
>
> Do you know what the minimum changes requirements are to get an
> A(+)?
> I'm guessing it requires at least this in wheezy:
> - SSLProtocol all -SSLv3
> - SSLHonorCipherOrder off
>
> It might require you to disable RC4, but if that's the case we
> should probably talk to Qualsys about it.
Yes, grade capped to B if accepting RC4. I see two possibilities for
this choice: either downgrade attacks (when not circumvented), either it
is considered preferable to use AES or even 3DES (BEAST attack being
prevented on server-side).
Relying on default ciper suite would also mean that it is updated during
the life-cycle of the distribution. This could be good or bad (breaking
existing setups).
--
A man was reading The Canterbury Tales one Saturday morning, when his
wife asked "What have you got there?" Replied he, "Just my cup and
Chaucer."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20150221/56a290a8/attachment.sig>
More information about the Pkg-openssl-devel
mailing list