SEMI-OT: Prohibiting RC4 Cipher Suites

Patrick Ben Koetter p at
Fri Feb 20 19:54:01 CET 2015

* Stefan Neufeind <dane-users at>:
> On 02/20/2015 07:26 PM, Patrick Ben Koetter wrote:
> > A little off topic for DANE users, but somehow in scope. You might consider
> > disabling RC4 in your servers cipher suite. IETF released an RFC requiring
> > 
> >    (...) that Transport Layer Security (TLS) clients and servers never
> >    negotiate the use of RC4 cipher suites when they establish connections.
> >    This applies to all TLS versions.  This document updates RFCs 5246, 4346,
> >    and 2246.
> >    -- Prohibiting RC4 Cipher Suites,
> How about support (as a fallback) for older clients? How "safe" (no pun
> intended) is it to disable as of today?

There RFC states no fallback should be made:

    If the TLS client only offers RC4 cipher suites, the TLS server MUST
    terminate the handshake. The TLS server MAY send the insufficient_security
    fatal alert in this case.

We've been running large (ISP) sites without RC4 and aNull for more than a
year without any trouble. Personally I wouldn't hesitate to disable both.

p at rick

[*] sys4 AG, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dane-users mailing list