id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
464	ngx_http_ssl_module and ssl_ciphers (use of RC4)	Jeffrey Walton		"From http://nginx.org/en/docs/http/ngx_http_ssl_module.html:


{{{
Specifies the enabled ciphers. The ciphers are specified in the format understood
by the OpenSSL library, for example:

    ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

The full list can be viewed using the “openssl ciphers” command.
}}}

RC4 is not really suitable for use in SSL/TLS. From AlFardan, Bernstein (et al), ""On the Security of RC4 in TLS and WPA"":

{{{
    ... While the RC4 algorithm is known to have a
    variety of cryptographic weaknesses (see [26]
    for an excellent survey), it has not been previously
    explored how these weaknesses can be exploited
    in the context of TLS. Here we show that new and
    recently discovered biases in the RC4 keystream
    do create serious vulnerabilities in TLS when using
    RC4 as its encryption algorithm.
}}}"	defect	closed	major		nginx-core		invalid	openssl rc4 ssl tls		"$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64 "	"$ objs/nginx -V
nginx version: nginx/1.4.4
configure arguments:"