AnsweredAssumed Answered

IE/XP support - DES-CBC3-SHA vs RC4-SHA

Question asked by sjansen on Sep 20, 2013
Latest reply on Sep 24, 2013 by sjansen

Hi community!

 

1st of all thanks for this great web site and tools, good stuff.

 

I just want to get your opinion what it the best choice if one wants to support the IE on XP.

In Ivans blog post (section Configuring OpenSSL without RC4), he proposed to configure the server to allow RC4 as a last resort only by adding "+RC4 RC4" to the end of the configuration string.

 

http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html

 

 

Doesn't it make more sense to remove RC4 completely and to allow DES-CBC3-SHA for IE/XP as last resort?

Like this:

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:-3DES:DES-CBC3-SHA:+DES-CBC3-SHA

 

What is the advantage from using RC4?

I clearly prefer security over performance and I don't consider BEAST as a threat here, so I think in this case DES-CBC3-SHA is the better choice, or is this one broken as well?

 

Cheers,

Stephan

Outcomes