crates.io allows RC4 for TLS connections

[kamalmarhubi]

Unless there is a good reason to support it, the nginx configuration should be changed to disallow it.

The Mozilla wiki has a good guide for recommended cipher suites. Hyneck Schlawack also has a good guide.

[alexcrichton]

The site is hosted on Heroku, so unfortunately there's not much we can do about this (we don't configure SSL at all).

[kamalmarhubi]

I found a comment on the Heroku discussion forum that suggest "that re-provisioning the SSL addon does the job". Could be worth a shot?

[kamalmarhubi]

@alexcrichton (@-mentioning because I'm unsure of how GitHub notifications work)

[alexcrichton]

I've opened a support ticket to see what we can do, thanks for investigating @kamalmarhubi!

[kamalmarhubi]

👍

[alexcrichton]

Looks like that comment on the forums may have been in relation to another app, this is the response we got:

Our *.herokuapp.com and SSL Load balancers should pref better ciphers instead of forcing RC4. We support RC4 so that older browsers can still connect, but we order the cipher at the very bottom so modern browsers use better encryption.

[kamalmarhubi]

Makes enough sense. I should have checked. I ran it through SSL Labs server test, it complained, and then I reported the issue.

Thanks for checking!