[Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Thijs Kinkhorst
thijs at debian.org
Mon Feb 23 18:31:38 UTC 2015
On Thu, February 19, 2015 10:38, Florian Schlichting wrote:
> Newly released RFC 7465 [0] describes RC4 as being "on the verge of
> becoming practically exploitable" and consequently mandates that both
> servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and
> indeed terminate the TLS handshake if RC4 ciphers are the only ones
> available.
I agree with Kurt that this is a desirable direction to choose, but is not
something opportune nor necessary to change so late in the release cycle.
This issue must be fixed for stretch.
The use of RC4 should indeed be discouraged, but the current platform
already provides many knobs and levers to disable the use, as will many of
the defaults.
> RFC 7465 has been adopted for a reason. Let's take that seriously,
> please?
The reason it's adopted is to migrate away from RC4. Debian is already on
that path. As with any RFC, it's not intended to be immediately adopted
amongst all supported platforms the day it's released.
Cheers,
Thijs
More information about the Pkg-openssl-devel
mailing list