SEMI-OT: Prohibiting RC4 Cipher Suites
Patrick Ben Koetter
p at sys4.de
Fri Feb 20 19:54:01 CET 2015
* Stefan Neufeind <dane-users at stefan-neufeind.de>:
> On 02/20/2015 07:26 PM, Patrick Ben Koetter wrote:
> > A little off topic for DANE users, but somehow in scope. You might consider
> > disabling RC4 in your servers cipher suite. IETF released an RFC requiring
> >
> > (...) that Transport Layer Security (TLS) clients and servers never
> > negotiate the use of RC4 cipher suites when they establish connections.
> > This applies to all TLS versions. This document updates RFCs 5246, 4346,
> > and 2246.
> > -- Prohibiting RC4 Cipher Suites, https://tools.ietf.org/rfc/rfc7465.txt
>
> How about support (as a fallback) for older clients? How "safe" (no pun
> intended) is it to disable as of today?
There RFC states no fallback should be made:
If the TLS client only offers RC4 cipher suites, the TLS server MUST
terminate the handshake. The TLS server MAY send the insufficient_security
fatal alert in this case.
We've been running large (ISP) sites without RC4 and aNull for more than a
year without any trouble. Personally I wouldn't hesitate to disable both.
YMMV.
p at rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the dane-users
mailing list