On Thu, Feb 19, 2015 at 10:38:14AM +0100, Florian Schlichting wrote: > Package: openssl > Version: 1.0.1e-2+deb7u14 > Severity: serious > Tags: security > > Newly released RFC 7465 [0] describes RC4 as being "on the verge of > becoming practically exploitable" and consequently mandates that both > servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and > indeed terminate the TLS handshake if RC4 ciphers are the only ones > available. > > To protect our users and comply with adopted Internet standards, openssl > in Debian should no longer include RC4 ciphers in the DEFAULT list of > ciphers, neither in Jessie nor supported stable / oldstable releases.
I fully support that RFC. However I don't think it's a good idea to remove it from DEFAULT in jessie. Reasons not to are: - Many servers only support RC4 so clients still need to support RC4 to be able to talk to them. Hopefully this RFC will change that. - In practice if the other side supports something other than RC4 it's likely that RC4 isn't used. I would really like to drop RC4 on the server side but not yet at the client side. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
