> For what it's worth, I'm with Victor on this. RC4 as cipher of last resort in > the > default set is better than not having it there at all.
Take it up with the IETF which has two working groups advocating against it. UTA (use of TLS in applications) and the TLS group itself: https://tools.ietf.org/html/draft-ietf-uta-tls-bcp-02 Implementations MUST NOT negotiate RC4 cipher suites https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-00 As a result, RC4 can no longer be seen as providing a sufficient level of security for TLS sessions. "To improve security, raise the ceiling." An equal number of experienced people are equally firm that the only way to raise the standard of practice is to remove bad ciphers. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
