Your message dated Fri, 28 Jun 2024 19:51:36 +0200 with message-id <20240628175136.6died...@breakpoint.cc> and subject line Close libssl1.0.0: Support for RC4 should be dropped has caused the Debian Bug report #779246, regarding libssl1.0.0: Support for RC4 should be dropped to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779246 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libssl1.0.0 Version: 1.0.1k-1 Severity: wishlist Dear Maintainer, As of the publication of RFC 7465 this month, support for RC4 is now formally prohibited. Section 2 explicitly states: o TLS clients MUST NOT include RC4 cipher suites in the ClientHello message. o TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a cipher suite in the ClientHello message. o If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate the handshake. The TLS server MAY send the insufficient_security fatal alert in this case. It therefore seems reasonable to forcibly disable support for this, as was done with SSLv3, even if no single common exploit is yet known. The following patch from Piotr Sikora of CloudFlare has been used by them in production for more than a year: <https://github.com/cloudflare/openssl-deprecate-rc4/> As evidenced by this blog post: <https://blog.cloudflare.com/killing-rc4/> While this only applies to TLSv1.1+, presumably it should be a simple matter to remove the protocol condition, and apply a similar patch to OpenSSL in Debian. Many thanks for your consideration. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Version: 1.1.0~pre5-1 from the change for 1.1.0 | * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are | disabled by default. They can be re-enabled using the | enable-weak-ssl-ciphers option to Configure. Sebastian
--- End Message ---
