On 19 Jul 2015, at 20:26, Wietse Venema <wie...@porcupine.org> wrote:
> Viktor Dukhovni: >> On Sun, Jul 19, 2015 at 10:41:43AM +0200, DTNX Postmaster wrote: >> >> [ Additional data points would be useful, please don't be shy. >> Is anyone who's had to make adjustments to their cipherlist >> settings to ensure that RC4 is in the first 64 slots for >> Exchange 2003 servers, finding that they no longer need to >> do that? ] >> >>>> So, if you have any data on long-term trends in RC4 use, especially >>>> from a site with a high volume of traffic (1 million messages per >>>> day or more), please post your findings. Is RC4 disappearing from >>>> SMTP TLS, or continuing to be used by laggards resistant to change? >>> >>> We're below that volume threshold, but have been deliberately tracking >>> cipher usage for quite some time now. Usage of 'RC4-SHA' and 'RC4-MD5' >>> has been down to no more than a handful per day for a good while, where >>> days without any RC4 at all aren't rare. >> >> Any estimate of the volume of TLS traffic overall that you can >> share? > > More relevant, at least for me, is not popularity, but what kind > of implementations still require RC4. I expect (hope) that the vast > majority is not Internet-facing, so you will never see them unless > your network is large enough that it has systems that need to be > kept alive but cannot be updated. > > Legacy systems do count; for example even if WinXP/2003 are out of > support, there are organizations that actually pay for continued > support. Even if RC4 is no longer enabled by default, we should not > make it more cumbersome than setting one parameter to get it back. For the organisations that pay for extended support, I suspect it's mostly for desktop support (XP) not for the server side software. Upgrading an Exchange server within such organisations is a much easier job that replacing clients. Or they have outsourced their mail handling. I have yet to see Exchange on Windows 2003 for organisations that I know have an extended support contract for XP desktops. I totally agree that it shouldn't be hard to deal with legacy systems if necessary, but I doubt that Exchange on Server 2003 will (continue to) be a major concern for paid support customers. Mvg, Joni
