116236 - triple DES instead of RC4

Status: VERIFIED INVALID

(Core Graveyard :: Security: UI, defect, P3)

Description

[haferfrost]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:0.9.6) Gecko/20011213
BuildID:    00000000 (self-compiled)

When I choose the SSL Check at fortify.net it says my browser connects with
triple-DES. Isn't RC4 stronger encryption? Shouldn't the browser select RC4?

Reproducible: Always
Steps to Reproduce:
1.browse to http://www.fortify.net
2.select SSL check
3.

Actual Results:  connection with triple DES 168 bit

Expected Results:  connection with RC 4 128 bit

Comment 1

[Jo Hermans]

Worksforme - build 2001121003 on Windoos NT. The SSL-check shows me that I'm
using RC4-MD5.

Comment 2

[Matthias Versen [:Matti]]

-> PSM

wfm with win2k build 20011220.. (RC4)

Comment 3

[Stephane Saux]

I don't think that rc4 is stronger than triple DES.  Triple DES is one of the
cyphers that meet fips standards.  The long answer is probably more complex and
is best left to the true experts:

cc nelsonb

I don't think there's a bug here.

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

There's no bug here.  The server chooses the cipher suite, not the client.
The client presents a list of supported cipher suites to the server.
The server picks one of them.  
The client's list is in order of client's preference, but the server is
under no obligation to honor the client's preference, and most servers
do not.  That is, most servers pick the cipher suite most preferred
by the server from the list of those supported by both client and server.

The client must be prepared to accept the use of any ciphersuite that it
claims to support in its client hello message.

Comment 5

[John Unruh]

Verified invalid.