On Sun, Jul 19, 2015 at 09:24:15PM +0200, DTNX Postmaster wrote:
> * TLSV1 Cipher Suites:
> Preferred:
> RC4-MD5 128 bits
> Accepted:
> RC4-SHA 128 bits
> RC4-MD5 128 bits
> DES-CBC3-SHA 112 bits
> DES-CBC-SHA 56 bits
> EXP-RC4-MD5 40 bits
> EXP-RC2-CBC-MD5 40 bits
> ==
>
> Out of those four, only one is more than one connection over those 90
> days. That one is in active use, a client for an important customer, and
> it looks like it'll do 'DES-CBC3-SHA' just fine if we disable RC4 for
> outgoing mail.
Sadly, in the same product the DES-CBD3-SHA implementation is
broken. Once RC4 goes, you'll see post-handshake TLS failures.
> The other seven now have better defaults (one jumped to TLSv1.2 with cipher
> ECDHE-RSA-AES256-SHA384) or will negotiate an AES cipher of some kind if
> RC4 is disabled.
Overall though, if similar attrition is happening elsewhere, perhaps
no RC4 in 2016 is somewhat realistic...
> I suspect that the change to 'LOW' would not even be a blip on the radar
> for most deployments. Push that through, and add a note to the README,
Thanks for the feedback.
> YMMV, etcetera ... moar dataz plz!
Indeed it would be nice to have numbers from more sources.
--
Viktor.
