SSL ciphers, disable or not to disable RC4?

Jeffrey Walton noloader at
Thu Jan 9 10:04:31 UTC 2014

On Thu, Jan 9, 2014 at 4:53 AM, Lukas Tribus <luky-37 at> wrote:
>> My current values in my nginx configuration for ssl_protocols/ciphers
>> what i use is this:
>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
>> ssl_prefer_server_ciphers on;
>> What are todays recommendations for ssl_ciphers option for supporting
>> all current OSes and browsers, even Windows XP users with IE?
>> Can i disable RC4?
> Personally, I'm following Mozillas deployment recommendations:
Mozilla claims RC4 is "High Grade" encryption even though it has
serious vulnerabilities when used in TLS
( They remove
3-key TDEA with 112-bits of security (which is currently approved by

Related, their browser claim plain text HTTP is good (no user
warnings), and HTTPS with a self signed is bad (big red flags for
opportunistic encryption). When did plain text become better than
cipher text? And they also rewarded Trustwave's bad behavior way back
when (

I'm not sure I would follow Mozilla's lead.


More information about the nginx mailing list