While no longer using RC4 might be a good idea, I'm not certain that OpenSSL should /force/ it as long as the cipher is still a valid choice.
This seems like a job for SSL_CTX_set_cipher_list (http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html). A good server would be calling this anyway since (at least according to the docs at http://www.openssl.org/docs/apps/ciphers.html) the default cipher list is ALL:!aNULL:!eNULL. I could even conceive of turning of RC4 by default, but you should probably let people turn it back on if they have it in their cipher list. Patrick Watson -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Piotr Sikora Sent: Monday, February 03, 2014 5:45 PM To: [email protected] Subject: [PATCH] Disable RC4 for TLS v1.1+ (server-side). (this was originally sent to rt@, but it never made it through) Hello, considering that RC4 is pretty much broken by now, I don't think there is a good reason for using it in TLS v1.1+. Attached patch stops servers from negotiating RC4-based cipher suites on connections using TLS v1.1+. This is mostly RFC and not something ready to be committed, because users should (or maybe not?) be able to tweak this via SSL{,_CTX}_set_options(). However, it seems that all the option values are already taken and I'm not in the position to decide if this is more important than any of the existing options. Best regards, Piotr Sikora ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
