Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove RC4 cipher #50

Merged
merged 1 commit into from
Jul 4, 2016
Merged

Remove RC4 cipher #50

merged 1 commit into from
Jul 4, 2016

Conversation

jsyeo
Copy link
Contributor

@jsyeo jsyeo commented Apr 13, 2016

RC4 has insecure biases and both clients and servers should not be using it.

@jsyeo jsyeo mentioned this pull request Apr 13, 2016
Closed
@rhenium
Copy link
Member

rhenium commented Jun 1, 2016

It looks like Firefox 44 and Chrome 48 (both released in 2016-01) finally disabled RC4.

https://bugs.chromium.org/p/chromium/issues/detail?id=375342
https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/

And more, OpenSSL 1.1.0 (to be released soon) will remove RC4 cipher suites from DEFAULT.

openssl/openssl@c84f7f4

Will merge unless there are objections.

@rhenium
Copy link
Member

rhenium commented Jul 3, 2016

@jsyeo Could you clarify the commit message so that people who don't read this page can understand what it does, and the background?

This removes RC4 cipher suites from SSLContext::DEFAULT_PARAMS, but it doesn't prohibit specifying explicitly, or using RC4 with OpenSSL::Cipher.

then, I'll merge. Thank you!

@jsyeo
Remove RC4 cipher suites from SSLContext::DEFAULT_PARAMS
cb3b838 
This commit removes insecure RC4 ciper suites [1] from being used by
default. If needed, users can still specify the usage of it by
specifying it explicitly.

[1]: https://tools.ietf.org/html/rfc7465
@jsyeo
Copy link
Contributor Author

jsyeo commented Jul 4, 2016

@rhenium amended. 😉

@rhenium rhenium merged commit 23a6b70 into ruby:master Jul 4, 2016
@rhenium
Copy link
Member

rhenium commented Jul 4, 2016

Merged, thanks!

@jsyeo jsyeo deleted the jsyeo-remove-rc4 branch July 13, 2016 07:34
@mirogta mirogta mentioned this pull request Sep 14, 2017
Closed
dncrht added a commit to simplybusiness/devise_ldap_authenticatable that referenced this pull request Oct 23, 2017
@dncrht
SimplyBusiness' LDAP works on RC4 cipher
64ccf0f 
Our LDAP server runs on Win2003 and only supports RC4 cipher.
We only care whether we use SSL or not. On SSL enabled, encryption
is set to simple_tls and the supported ciphers are set.

Ruby's 2.4 openssl gem has removed RC4 from its default params, however
doesn't disallow its usage. See: ruby/openssl#50
@dncrht dncrht mentioned this pull request Oct 23, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jsyeo @rhenium