* Stefan Neufeind dane-users@stefan-neufeind.de:
On 02/20/2015 07:26 PM, Patrick Ben Koetter wrote:
A little off topic for DANE users, but somehow in scope. You might consider disabling RC4 in your servers cipher suite. IETF released an RFC requiring
(...) that Transport Layer Security (TLS) clients and servers never negotiate the use of RC4 cipher suites when they establish connections. This applies to all TLS versions. This document updates RFCs 5246, 4346, and 2246. -- Prohibiting RC4 Cipher Suites, https://tools.ietf.org/rfc/rfc7465.txt
How about support (as a fallback) for older clients? How "safe" (no pun intended) is it to disable as of today?
There RFC states no fallback should be made:
If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate the handshake. The TLS server MAY send the insufficient_security fatal alert in this case.
We've been running large (ISP) sites without RC4 and aNull for more than a year without any trouble. Personally I wouldn't hesitate to disable both. YMMV.
p@rick