SSL ciphers, disable or not to disable RC4?
noloader at gmail.com
Thu Jan 9 10:04:31 UTC 2014
On Thu, Jan 9, 2014 at 4:53 AM, Lukas Tribus <luky-37 at hotmail.com> wrote:
>> My current values in my nginx configuration for ssl_protocols/ciphers
>> what i use is this:
>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
>> ssl_prefer_server_ciphers on;
>> What are todays recommendations for ssl_ciphers option for supporting
>> all current OSes and browsers, even Windows XP users with IE?
>> Can i disable RC4?
> Personally, I'm following Mozillas deployment recommendations:
Mozilla claims RC4 is "High Grade" encryption even though it has
serious vulnerabilities when used in TLS
(https://bugzilla.mozilla.org/show_bug.cgi?id=947149). They remove
3-key TDEA with 112-bits of security (which is currently approved by
ECRYPT, ISO/IEC, NIST, and NESSIE).
Related, their browser claim plain text HTTP is good (no user
warnings), and HTTPS with a self signed is bad (big red flags for
opportunistic encryption). When did plain text become better than
cipher text? And they also rewarded Trustwave's bad behavior way back
I'm not sure I would follow Mozilla's lead.
More information about the nginx