SSL ciphers, disable or not to disable RC4?

Jeffrey Walton noloader at gmail.com
Thu Jan 9 10:04:29 UTC 2014


On Thu, Jan 9, 2014 at 4:53 AM, Lukas Tribus <luky-37 at hotmail.com> wrote:
>> My current values in my nginx configuration for ssl_protocols/ciphers
>> what i use is this:
>>
>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
>> ssl_prefer_server_ciphers on;
>>
>> What are todays recommendations for ssl_ciphers option for supporting
>> all current OSes and browsers, even Windows XP users with IE?
>> Can i disable RC4?
>
> Personally, I'm following Mozillas deployment recommendations:
> https://wiki.mozilla.org/Security/Server_Side_TLS
Mozilla claims RC4 is "High Grade" encryption even though it has
serious vulnerabilities when used in TLS
(https://bugzilla.mozilla.org/show_bug.cgi?id=947149). They remove
3-key TDEA with 112-bits of security (which is currently approved by
ECRYPT, ISO/IEC, NIST, and NESSIE).

Related, their browser claim plain text HTTP is good (no user
warnings), and HTTPS with a self signed is bad (big red flags for
opportunistic encryption). When did plain text become better than
cipher text? And they also rewarded Trustwave's bad behavior way back
when (https://bugzilla.mozilla.org/show_bug.cgi?id=724929).

I'm not sure I would follow Mozilla's lead.

Jeff



More information about the nginx mailing list