AnsweredAssumed Answered

RC4 Safe vs RC4 Broken in TLS

Question asked by s holloway on Jun 10, 2014
Latest reply on Jun 15, 2014 by s holloway

Hello Everyone,

 

Hope this is in the right area.

 

I am trying to learn the ropes regarding SSL tuning and security.

So far so good - I have disabled SSL2, started to enforce more secure protocols and have started some further testing.

 

I am now a little confused with regard to RC4

 

There is this post : http://blog.ivanristic.com/2009/08/is-rc4-safe-for-use-in-ssl.html from 2009 and that suggests RC4 is still OK

and this post : The specified item was not found. from 2013 that suggests not to use RC4 if you are using TLS ( which I am moving towards )

 

I have signed up for the OpenSSL Cookbook ( Thanks Ivan !! ) but haven't started reading yet.

 

Onto the point of all this.

 

Currently my server only supports TLS 1.0 ( an upgrade is planned )

I realise that Cipher suite use is a trade off with performance and the clients that you need to support, but I am having a hard time finding concise list of preferred Cipher suites to use.

 

Does any one have a good list of Cipher vs Supported clients vs Performance?

Any particular chapter in the Cookbook I should check for details??

 

As I have only a small client base and performance is not much of an issue at this stage I am enforcing the strongest Ciphers I can however it would be good to have more details for future reference.

 

Happy to do (much) more reading but as there appears to be so much (mis)information out there - I was hoping someone could point me in the right direction.

 

Regards.

Outcomes