id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 464 ngx_http_ssl_module and ssl_ciphers (use of RC4) Jeffrey Walton "From http://nginx.org/en/docs/http/ngx_http_ssl_module.html: {{{ Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library, for example: ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; The full list can be viewed using the “openssl ciphers” command. }}} RC4 is not really suitable for use in SSL/TLS. From AlFardan, Bernstein (et al), ""On the Security of RC4 in TLS and WPA"": {{{ ... While the RC4 algorithm is known to have a variety of cryptographic weaknesses (see [26] for an excellent survey), it has not been previously explored how these weaknesses can be exploited in the context of TLS. Here we show that new and recently discovered biases in the RC4 keystream do create serious vulnerabilities in TLS when using RC4 as its encryption algorithm. }}}" defect closed major nginx-core invalid openssl rc4 ssl tls "$ uname -a Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64 " "$ objs/nginx -V nginx version: nginx/1.4.4 configure arguments:"