> Far more productive than disabling RC4 would be ensuring that it is not the > preferred cipher suite when better options are enabled.
I am not disabling RC4. I am saying that applications that want to use it will, after the post-1.0.2 release is adopted, need to take pro-active action. This follows the current thinking of the IETF. It's just being standards-compliant. If you say "security levels are a better way to handle this" then why don't security levels require RC4? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org