Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove RC4 cipher #50

Merged
merged 1 commit into from
Jul 4, 2016
Merged

Remove RC4 cipher #50

merged 1 commit into from
Jul 4, 2016

Conversation

jsyeo
Copy link
Contributor

@jsyeo jsyeo commented Apr 13, 2016

RC4 has insecure biases and both clients and servers should not be using it.

@rhenium
Copy link
Member

rhenium commented Jun 1, 2016

It looks like Firefox 44 and Chrome 48 (both released in 2016-01) finally disabled RC4.

https://bugs.chromium.org/p/chromium/issues/detail?id=375342
https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/

And more, OpenSSL 1.1.0 (to be released soon) will remove RC4 cipher suites from DEFAULT.

openssl/openssl@c84f7f4

Will merge unless there are objections.

@rhenium
Copy link
Member

rhenium commented Jul 3, 2016

@jsyeo Could you clarify the commit message so that people who don't read this page can understand what it does, and the background?

This removes RC4 cipher suites from SSLContext::DEFAULT_PARAMS, but it doesn't prohibit specifying explicitly, or using RC4 with OpenSSL::Cipher.

then, I'll merge. Thank you!

This commit removes insecure RC4 ciper suites [1] from being used by
default. If needed, users can still specify the usage of it by
specifying it explicitly.

[1]: https://tools.ietf.org/html/rfc7465
@jsyeo
Copy link
Contributor Author

jsyeo commented Jul 4, 2016

@rhenium amended. 😉

@rhenium rhenium merged commit 23a6b70 into ruby:master Jul 4, 2016
@rhenium
Copy link
Member

rhenium commented Jul 4, 2016

Merged, thanks!

@jsyeo jsyeo deleted the jsyeo-remove-rc4 branch July 13, 2016 07:34
dncrht added a commit to simplybusiness/devise_ldap_authenticatable that referenced this pull request Oct 23, 2017
Our LDAP server runs on Win2003 and only supports RC4 cipher.
We only care whether we use SSL or not. On SSL enabled, encryption
is set to simple_tls and the supported ciphers are set.

Ruby's 2.4 openssl gem has removed RC4 from its default params, however
doesn't disallow its usage. See: ruby/openssl#50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants