[Pkg-openssl-devel] Bug#778747: Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Vincent Bernat
bernat at debian.org
Sat Feb 21 17:22:40 UTC 2015
❦ 21 février 2015 17:50 +0100, Kurt Roeckx <kurt at roeckx.be> :
>> > Do you know what the minimum changes requirements are to get an
>> > A(+)?
>> > I'm guessing it requires at least this in wheezy:
>> > - SSLProtocol all -SSLv3
>> > - SSLHonorCipherOrder off
>> >
>> > It might require you to disable RC4, but if that's the case we
>> > should probably talk to Qualsys about it.
>>
>> Yes, grade capped to B if accepting RC4. I see two possibilities for
>> this choice: either downgrade attacks (when not circumvented), either it
>> is considered preferable to use AES or even 3DES (BEAST attack being
>> prevented on server-side).
>
> I don't see how you're going to do a downgrade attack to RC4. Yes
> clients like IE will enable RC4 on a fallback. But if the server
> supports something other than RC4 it should still pick that other
> thing.
I suppose it is considered safer to not propose RC4 at all. If the
server has responsability of the data, it shouldn't propose an unsafe
protocol at all even when the client is not supposed to ask for
it. That's pure speculation, I am not informed enough.
--
Don't stop at one bug.
- The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20150221/36b600cb/attachment.sig>
More information about the Pkg-openssl-devel
mailing list