Closed
Bug 1125893
Opened 11 years ago
Closed 4 years ago
Move TLS_ECDHE_*_WITH_RC4_128_SHA cipher suites to be lower priority in ClientHello
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: briansmith, Unassigned)
Details
(Whiteboard: [nss-fx])
Right now, NSS orders the TLS_ECDHE_*_WITH_RC4_128_SHA cipher suites ahead of all the TLS_RSA_AES_* cipher suites.
Firefox first attempts to handshake with a ClientHello without any RC4-based cipher suites; if that fails, it tries again with the RC4 cipher suites enabled. Thus, clearly Firefox has a preference of the TLS_RSA_AES_* cipher suites over the TLS_ECDHE_*_WITH_RC4_128_SHA cipher suites.
Consequently, we should move the TLS_ECDHE_*_WITH_RC4_128_SHA cipher suites to be after the TLS_RSA_AES_* cipher suites.
Besides Firefox's preferences, this is also in line with https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-01.
In Firefox, a small fraction much less than 1% of handshakes use the TLS_ECDHE_*_WITH_RC4_128_SHA cipher suites, so this will not have much practical effect. But, it is part of the overall story for dealing with the deprecation of RC4.
Note that the comments that describe the rationale for the ordering need to be updated during this change.
|
||
Comment 1•11 years ago
|
||
see also Bug 949564
|
||
Updated•10 years ago
|
Target Milestone: 3.18 → 3.18.1
|
|
||
Updated•10 years ago
|
Target Milestone: 3.18.1 → 3.19
|
|
||
Comment 2•10 years ago
|
||
This missed 3.19, please set a new target milestone if you have a good estimate.
(3.19.1 target milestone will soon be available once bug 1158958 is fixed.)
Target Milestone: 3.19 → ---
|
||
Comment 3•4 years ago
|
||
Next step is to remove those, they are at the bottom of the list right now.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
|
|
||
Updated•4 years ago
|
Whiteboard: [nss-fx]
You need to log in
before you can comment on or make changes to this bug.
Description
•