On Thu, February 19, 2015 10:38, Florian Schlichting wrote: > Newly released RFC 7465 [0] describes RC4 as being "on the verge of > becoming practically exploitable" and consequently mandates that both > servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and > indeed terminate the TLS handshake if RC4 ciphers are the only ones > available.
I agree with Kurt that this is a desirable direction to choose, but is not something opportune nor necessary to change so late in the release cycle. This issue must be fixed for stretch. The use of RC4 should indeed be discouraged, but the current platform already provides many knobs and levers to disable the use, as will many of the defaults. > RFC 7465 has been adopted for a reason. Let's take that seriously, > please? The reason it's adopted is to migrate away from RC4. Debian is already on that path. As with any RFC, it's not intended to be immediately adopted amongst all supported platforms the day it's released. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
