Now that SSL 3.0 is disabled, and since RC4 has gotten so much bad press recently, it is likely that there are nearly zero servers that only support TLS_RSA_WITH_RC4_128_MD5. Thus, it makes sense to try to completely disable TLS_RSA_WITH_RC4_128_MD5 when SSL 3.0 is disabled. I verified that the two servers mentioned in  now support non-RC4 cipher suites.  https://code.google.com/p/chromium/issues/detail?id=118330
Sites to verify (based on Chrome bug reports): * https://ws.missouristate.edu, https://missouristate.info * https://www.blueshieldca.com (Now chooses AES-GCM) * https://shb.ais.ucla.edu/ (seems to only support RC4-MD5 as of today, but it's currently serving a "hey you just installed your web server" placeholder so maybe it doesn't matter) * https://cp.ucd.ie/ (currently won't load) * https://bbce8.csuohio.edu/MACAuth/Login8Servlet * https://www.sbbt.com/personal-home.php (it should re-direct) * https://www.pcfinancial.ca (now chooses AES-GCM) Also, Wan-Teh found this blog post indicating that most versions of IIS prioritize this (the worst) cipher suite first: > I also found a blog post (http://blog.ivanristic.com/2009/08/index.html) > that explains why TLS_RSA_WITH_RC4_128_MD5 is widely used. > 1. It's the default preferred cipher in most versions of IIS. (I am not > sure if this is still true in the current versions of IIS.) > 2. It is the fastest and least CPU intensive. This IIS misconfigured-by-default behavior is a good motivation for making this change. On the other hand, it isn't clear that the RC4-MD5 cipher suite is significantly worse than the RC4-SHA(1) cipher suite.
https://cmypage.kuronekoyamato.co.jp/portal/entrance?id=kojintop (from bug 1112110) supports nothing but TLS_RSA_WITH_RC4_128_MD5. I'm not sure about the benefit of introducing the invisible relation between SSLv3 and RC4-MD5. If we want to disable RC4-MD5 by default, we should just flip the pref.
Also we don't offer RC4 cipher suites (including RC$-MD5) in the first handshake. The server preference matters little.
(In reply to Masatoshi Kimura [:emk] from comment #3) > Also we don't offer RC4 cipher suites (including RC$-MD5) in the first > handshake. The server preference matters little. Yes. If you do what I suggest in bug 1123932 comment 9, then this bug can also be RESOLVED INVALID or WONTFIX.
I'll drop SSLv3 support very soon, then this bug will be just disabling RC4-MD5. And I'll disable all RC4 cipher suites at once.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.