New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: server accepts RC4 by default #10094
Labels
Milestone
Comments
Last time I checked, RC4 is still included in server cipher suite
of nearly all major websites.
|
mikioh
changed the title
http TLS server accepts RC4
crypto/tls: server accepts RC4 by default
Mar 6, 2015
RC4 is prohibited by RFC 7465 and should not be used. |
cc @agl |
Cheers! |
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
RC4 is frowned upon[1] at this point and major providers are disabling it by default[2]. Those who still need RC4 support in crypto/tls can enable it by specifying the CipherSuites slice in crypto/tls.Config explicitly. Fixes golang#10094. [1] https://tools.ietf.org/html/rfc7465 [2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/ Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f Reviewed-on: https://go-review.googlesource.com/7647 Reviewed-by: Andrew Gerrand <adg@golang.org>
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
RC4 is frowned upon[1] at this point and major providers are disabling it by default[2]. Those who still need RC4 support in crypto/tls can enable it by specifying the CipherSuites slice in crypto/tls.Config explicitly. Fixes golang#10094. [1] https://tools.ietf.org/html/rfc7465 [2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/ Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f Reviewed-on: https://go-review.googlesource.com/7647 Reviewed-by: Andrew Gerrand <adg@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
An SSL scan of my Go server with TLS enabled reports
This server accepts the RC4 cipher, which is weak. Grade capped to B.
I wonder if perhaps this one shouldn't be in the default set of cipher suites?
The text was updated successfully, but these errors were encountered: