On 2015-02-22 11:44:37 [+0100], Kurt Roeckx wrote:
> Even with RC4 enabled on both sides, it does provide something
> secure that doesn't use RC4 as long as you don't don't touch the
> defaults. And I've seen many applications that screw up the
> defaults.
As of openssl in experimental we don't
FYI OpenSSL 1.1.0, currently in alpha, final release planned april 2016,
removes RC4 from DEFAULT:
https://www.openssl.org/news/changelog.html
728504 is a dupe of this bug.
On Sat, 21 Feb 2015 10:49:21 +0100 Kurt Roeckx k...@roeckx.be wrote:
If you just change it to prefer the default server ordering you
should already have a decent list, but it prefers AES256 over
AES128 while there is no need for that.
AFAICT EFF disagrees:
On Thu, February 19, 2015 10:38, Florian Schlichting wrote:
Newly released RFC 7465 [0] describes RC4 as being on the verge of
becoming practically exploitable and consequently mandates that both
servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and
indeed terminate the TLS
On Sun, Feb 22, 2015 at 01:49:16AM +0100, Florian Schlichting wrote:
On Fri, Feb 20, 2015 at 10:50:20PM +0100, Kurt Roeckx wrote:
On Fri, Feb 20, 2015 at 10:08:48PM +0100, Florian Schlichting wrote:
| RC4 3880.5871
| RC4 Only 3712 0.7918
With TLS it should be no problem to have those weak ciphers in the list
I dont agree with this..
Due to weak crypters avaible and programs ( for example postfix ) offering
them over TLS also cause problems.
Google for : postfix SSL_accept error from for example..
This is mainly due
On Sun, Feb 22, 2015 at 08:45:40PM +0100, Louis van Belle wrote:
With TLS it should be no problem to have those weak ciphers in the list
I dont agree with this..
I'm not sure why you don't agree. Care to explain why you think
this is a problem?
Due to weak crypters avaible and programs (
On Fri, Feb 20, 2015 at 10:50:20PM +0100, Kurt Roeckx wrote:
On Fri, Feb 20, 2015 at 10:08:48PM +0100, Florian Schlichting wrote:
| RC4 3880.5871
| RC4 Only 3712 0.7918
| RC4 Preferred 64613 13.7832
| RC4 forced in
On Sat, Feb 21, 2015 at 08:52:59AM +0100, Vincent Bernat wrote:
? 20 février 2015 22:50 +0100, Kurt Roeckx k...@roeckx.be :
Please note that RC4 in the default configuration should never be
negiotated by modern clients and servers. The problem is
administrators who think they know
❦ 21 février 2015 10:49 +0100, Kurt Roeckx k...@roeckx.be :
Please note that RC4 in the default configuration should never be
negiotated by modern clients and servers. The problem is
administrators who think they know better changed somethign not to
use the defaults. If we adjust the
❦ 21 février 2015 13:29 +0100, Kurt Roeckx k...@roeckx.be :
The defaults are good enough, as long as you don't really care
about PFS because IE doesn't have those at the top of it's list.
If you just change it to prefer the default server ordering you
should already have a decent list,
On Sat, Feb 21, 2015 at 05:27:42PM +0100, Vincent Bernat wrote:
? 21 février 2015 13:29 +0100, Kurt Roeckx k...@roeckx.be :
The defaults are good enough, as long as you don't really care
about PFS because IE doesn't have those at the top of it's list.
If you just change it to prefer
On Sat, Feb 21, 2015 at 06:22:40PM +0100, Vincent Bernat wrote:
? 21 février 2015 17:50 +0100, Kurt Roeckx k...@roeckx.be :
Do you know what the minimum changes requirements are to get an
A(+)?
I'm guessing it requires at least this in wheezy:
- SSLProtocol all -SSLv3
-
❦ 21 février 2015 17:50 +0100, Kurt Roeckx k...@roeckx.be :
Do you know what the minimum changes requirements are to get an
A(+)?
I'm guessing it requires at least this in wheezy:
- SSLProtocol all -SSLv3
- SSLHonorCipherOrder off
It might require you to disable RC4, but if that's
On Sat, Feb 21, 2015 at 12:38:01PM +0100, Vincent Bernat wrote:
? 21 février 2015 10:49 +0100, Kurt Roeckx k...@roeckx.be :
Please note that RC4 in the default configuration should never be
negiotated by modern clients and servers. The problem is
administrators who think they know
On Fri, Feb 20, 2015 at 06:25:44PM +0100, Kurt Roeckx wrote:
On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote:
What servers, and what clients are we talking about here?
You might want to look at those stats:
On Fri, Feb 20, 2015 at 10:08:48PM +0100, Florian Schlichting wrote:
On Fri, Feb 20, 2015 at 06:25:44PM +0100, Kurt Roeckx wrote:
On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote:
What servers, and what clients are we talking about here?
You might want to look at
Hi Kurt,
To protect our users and comply with adopted Internet standards, openssl
in Debian should no longer include RC4 ciphers in the DEFAULT list of
ciphers, neither in Jessie nor supported stable / oldstable releases.
I fully support that RFC. However I don't think it's a good idea
On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote:
Hi Kurt,
To protect our users and comply with adopted Internet standards, openssl
in Debian should no longer include RC4 ciphers in the DEFAULT list of
ciphers, neither in Jessie nor supported stable / oldstable
❦ 20 février 2015 22:50 +0100, Kurt Roeckx k...@roeckx.be :
Please note that RC4 in the default configuration should never be
negiotated by modern clients and servers. The problem is
administrators who think they know better changed somethign not to
use the defaults. If we adjust the
On Thu, Feb 19, 2015 at 10:38:14AM +0100, Florian Schlichting wrote:
Package: openssl
Version: 1.0.1e-2+deb7u14
Severity: serious
Tags: security
Newly released RFC 7465 [0] describes RC4 as being on the verge of
becoming practically exploitable and consequently mandates that both
servers
Package: openssl
Version: 1.0.1e-2+deb7u14
Severity: serious
Tags: security
Newly released RFC 7465 [0] describes RC4 as being on the verge of
becoming practically exploitable and consequently mandates that both
servers and clients MUST NOT offer or negotiate an RC4 cipher suite, and
indeed
22 matches
Mail list logo