Viktor Dukhovni:
> On Sun, Jul 19, 2015 at 10:41:43AM +0200, DTNX Postmaster wrote:
>
> [ Additional data points would be useful, please don't be shy.
> Is anyone who's had to make adjustments to their cipherlist
> settings to ensure that RC4 is in the first 64 slots for
> Exchange 2003 servers, finding that they no longer need to
> do that? ]
>
> > > So, if you have any data on long-term trends in RC4 use, especially
> > > from a site with a high volume of traffic (1 million messages per
> > > day or more), please post your findings. Is RC4 disappearing from
> > > SMTP TLS, or continuing to be used by laggards resistant to change?
> >
> > We're below that volume threshold, but have been deliberately tracking
> > cipher usage for quite some time now. Usage of 'RC4-SHA' and 'RC4-MD5'
> > has been down to no more than a handful per day for a good while, where
> > days without any RC4 at all aren't rare.
>
> Any estimate of the volume of TLS traffic overall that you can
> share?
More relevant, at least for me, is not popularity, but what kind
of implementations still require RC4. I expect (hope) that the vast
majority is not Internet-facing, so you will never see them unless
your network is large enough that it has systems that need to be
kept alive but cannot be updated.
Legacy systems do count; for example even if WinXP/2003 are out of
support, there are organizations that actually pay for continued
support. Even if RC4 is no longer enabled by default, we should not
make it more cumbersome than setting one parameter to get it back.
Wietse
