Declaring "RC4" LOW is not the right answer:

$ openssl ciphers -v 'LOW:@STRENGTH'
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5

I've not seen a TLS connection established with one of these in
the last decade, and single DES is easily brute-forced with
off-the-shelf hardware.

Thus I'm not objecting to disabling by default "EXPORT" and "LOW"
because they at this point no longer used, and obviously much too
weak.

Though RC4 is considerably tarnished, the story is rather different,
since it is still widely used, and the attacks rather specialized.

I agree that applications and system administrators should take
measures to replace RC4 with safer choices whenever possible, but
I don't think that marking RC4 as LOW (many applications that use
RC4 disable LOW ciphers) is a positive development.

In OpenSSL there is no way to enable a cipher suite disabled with
"!blah". To enable RC4 while not allowing the remaining "LOW"
cipher suites, one would have to replace "!LOW" with the much less
obvious "!DES".

A lot of needless editing of cipherspecs which are error-prone in
the hands of non-experts. Far better to offer carrots not sticks
in the form of stronger alternatives, that are preferred by default,
and perform as well or better.
The IETF is sadly also prone to knee-jerk reactions. For example,
recent discussion of disabling session tickets, where for once
reason prevailed, but some folks are on a crusade to stamp out
crypto too weak for them and damn the unintended consequences.
We can discuss alternative approaches in a separate thread. Security
levels still need a bit of work.

Which is tantamount to disabling it, for any applications that:

- Link OpenSSL dynamically and don't set a non-default cipher suite list
- Are rebuilt with the new OpenSSL but aren't changed to set a non-default cipher suite list

You're talking about violating the Principle of Least Surprise, which is rarely a good idea.
Glossing "what's currently in an I-D" as "the current thinking of the IETF" is quite a stretch.

And UTA applies to *applications*, not to libraries.

And personally I think UTA is somewhat misguided, particularly in its excessive use of RFC 2119 conditional-compliance ("MUST") requirements in sections that the text refers to as "recommendations"; and I'm not convinced the authors have done a good job of considering the ramifications.

As for the PRC4 I-D: It too applies to applications; and unless OpenSSL is going to enforce the final requirement of part 2 ("the TLS server MUST terminate the handshake"), I can't see how you can claim your proposed change is "following" the I-D. Without that final requirement, the other two are potentially more dangerous than allowing RC4.
Which standard are we talking about? In your other message you cited to I-Ds, which are NOT standards.
--
Michael Wojcik
Technology Specialist, Micro Focus




This message has been scanned for malware by Websense. www.websense.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org