[Pkg-openssl-devel] Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Louis van Belle
louis at van-belle.nl
Sun Feb 22 19:45:40 UTC 2015
>With TLS it should be no problem to have those weak ciphers in the list
I dont agree with this..
Due to weak crypters avaible and programs ( for example postfix ) offering
them over TLS also cause problems.
Google for : postfix SSL_accept error from for example..
This is mainly due to RC4 and older programs which do not obey the crypter
order list and things like that.
The defaults from apache2 on wheezy are also not very nice..
By default the ssllabs test comes back with a C !
In this test i just enabled ssl and i did put my certificate in the config.
Result..
This server is vulnerable to the POODLE attack. If possible, disable SSL 3
to mitigate. Grade capped to C
This server accepts the RC4 cipher, which is weak. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade
attacks.
This server supports HTTP Strict Transport Security with long duration.
So i did what was needed, now an A+
What im i missing .. people who use XP with ie6-8 java6.x
.. wel these are nowday so insecure i dont even want them on my servers.
Imo, its also our responibility to inform people about insecure settings.
Removing RC4 may not be an option, i agree in that yes. As told above
already.
But the new defaults should not include RC4 the programs defaults.
And maybe a note somewere would be nice for these users.
But thats just me as a user opinion.
My professional opinion is remove RC4,
low protected servers al mostly abused for doss atacks, sending spam etc.
Greetz,
Louis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20150222/069eeed7/attachment.html>
More information about the Pkg-openssl-devel
mailing list