ngx_http_ssl_module and ssl_ciphers (use of RC4)
|Reported by:||Jeffrey Walton||Owned by:|
|Keywords:||openssl rc4 ssl tls||Cc:|
$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64
$ objs/nginx -V
nginx version: nginx/1.4.4
Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library, for example: ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; The full list can be viewed using the “openssl ciphers” command.
RC4 is not really suitable for use in SSL/TLS. From AlFardan, Bernstein (et al), "On the Security of RC4 in TLS and WPA":
... While the RC4 algorithm is known to have a variety of cryptographic weaknesses (see  for an excellent survey), it has not been previously explored how these weaknesses can be exploited in the context of TLS. Here we show that new and recently discovered biases in the RC4 keystream do create serious vulnerabilities in TLS when using RC4 as its encryption algorithm.
Change History (2)
Note: See TracTickets for help on using tickets.