Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: server accepts RC4 by default #10094

Closed
anacrolix opened this issue Mar 6, 2015 · 5 comments
Closed

crypto/tls: server accepts RC4 by default #10094

anacrolix opened this issue Mar 6, 2015 · 5 comments
Assignees
Milestone

Comments

@anacrolix
Copy link
Contributor

@anacrolix anacrolix commented Mar 6, 2015

An SSL scan of my Go server with TLS enabled reports

This server accepts the RC4 cipher, which is weak. Grade capped to B.

I wonder if perhaps this one shouldn't be in the default set of cipher suites?

@minux

This comment has been minimized.

Copy link
Member

@minux minux commented Mar 6, 2015

@mikioh mikioh changed the title http TLS server accepts RC4 crypto/tls: server accepts RC4 by default Mar 6, 2015
@titanous

This comment has been minimized.

Copy link
Member

@titanous titanous commented Mar 7, 2015

RC4 is prohibited by RFC 7465 and should not be used.

@adg

This comment has been minimized.

Copy link
Contributor

@adg adg commented Mar 9, 2015

cc @agl

@agl agl self-assigned this Mar 9, 2015
@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Mar 17, 2015

@mikioh mikioh added this to the Go1.5 milestone Mar 17, 2015
@agl agl closed this in d26fdf2 Mar 18, 2015
@anacrolix

This comment has been minimized.

Copy link
Contributor Author

@anacrolix anacrolix commented Mar 18, 2015

Cheers!

@golang golang locked and limited conversation to collaborators Jun 25, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
RC4 is frowned upon[1] at this point and major providers are disabling it
by default[2].

Those who still need RC4 support in crypto/tls can enable it by
specifying the CipherSuites slice in crypto/tls.Config explicitly.

Fixes golang#10094.

[1] https://tools.ietf.org/html/rfc7465
[2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/

Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f
Reviewed-on: https://go-review.googlesource.com/7647
Reviewed-by: Andrew Gerrand <adg@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
RC4 is frowned upon[1] at this point and major providers are disabling it
by default[2].

Those who still need RC4 support in crypto/tls can enable it by
specifying the CipherSuites slice in crypto/tls.Config explicitly.

Fixes golang#10094.

[1] https://tools.ietf.org/html/rfc7465
[2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/

Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f
Reviewed-on: https://go-review.googlesource.com/7647
Reviewed-by: Andrew Gerrand <adg@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.