[Pkg-openssl-devel] Bug#778747: Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

[Kurt Roeckx]

On Sun, Feb 22, 2015 at 08:45:40PM +0100, Louis van Belle wrote:
> >With TLS it should be no problem to have those weak ciphers in the list
> 
> I dont agree with this.. 

I'm not sure why you don't agree.  Care to explain why you think
this is a problem?

> Due to weak crypters avaible and programs ( for example postfix ) offering
> them over TLS also cause problems. 

postfix by default will accept any cipher, including anonymous
ciphers.  They will even object to removig RC4 from the default.
This is what you get by default:
aNULL:-aNULL:ALL:+RC4:@STRENGTH

And if you really want to talk about SMTP, RC4 is the only thing
you can use to talk to old exchange servers.  You have the option
to use RC4 or 3DES, but their 3DES implemtation is broken.  They
also ignore ciphers after the 64th in the list.  With the list
from above you can talk to those servers.  (See #729188)

> Google for :   postfix SSL_accept error from for example.. 

This only shows me some people who either have something
misconfigured or the other side is broken.

> This is mainly due to RC4  and older programs which do not obey the crypter
> order list and things like that.

I'm not sure what you're trying to say.

> The defaults from apache2 on wheezy are also not very nice.. 
> 
> By default the ssllabs test comes back with a C ! 
> 
> In this test i just enabled ssl and i did put my certificate in the config. 
> 
> Result.. 
> 
> This server is vulnerable to the POODLE attack. If possible, disable SSL 3
> to mitigate. Grade capped to C

I've already said that I think SSLv3 is a more serious problem.

> This server accepts the RC4 cipher, which is weak. Grade capped to B.

That is something I don't agree to, but can agree to when one
of the "reference browsers" would use RC4.

> The server does not support Forward Secrecy with the reference browsers.   

Which I already explain.



Kurt