> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Tuesday, February 10, 2015 21:01 > To: openssl-dev at openssl.org; openssl-users at openssl.org > Subject: Re: [openssl-users] [openssl-dev] Proposed cipher changes for > post-1.0.2 > > On Wed, Feb 11, 2015 at 12:22:44AM +0000, Salz, Rich wrote: > > > RC4 in LOW has a bit of pushback so far. My cover for it is that > > the IETF says "don't use it." So I think saying "if you want it, > > say so" is the way to go. > > By all means, don't use it, but it is not OpenSSL's choice to make > by breaking the meaning of existing interfaces. > > If you put RC4 in LOW, one can no longer exclude LOW ciphers if > one still needs RC4. Nobody uses single-DES, but enough peers > still use (only) RC4 to make disabling of RC4 a choice best made > by applications. I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it explicilty in DEFAULT) is a good one that maintains important backward compatibility while providing the desired removal of RC4 by default. There's no advantage to moving RC4 to LOW. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com
