<div><div dir="auto">Hi, we have a requirement to enable tlsv1 for an edge case. When we enable that via Tomas recommendation it enables rc4 cipher.</div></div><div dir="auto"><br></div><div dir="auto">We want to disable rc4 but keep tlsv1 and that's why the ask for the process </div><div dir="auto"><br></div><div dir="auto">Thanks, </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 17 Apr 2020 at 18:04, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org">openssl-users@dukhovni.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:<br>
<br>
> Or you could modify the /etc/pki/tls/openssl.cnf:<br>
> Find the .include /etc/crypto-policies/back-ends/opensslcnf.config<br>
> line in it and insert something like:<br>
> <br>
> CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8<br>
<br>
How did this particular contraption become a recommended cipherlist?<br>
What's wrong with "DEFAULT"? In OpenSSL 1.1.1 it already excludes<br>
RC4 (if RC4 is at all enabled at compile time):<br>
<br>
$ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'<br>
ECDHE-ECDSA-RC4-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1<br>
ECDHE-RSA-RC4-SHA TLSv1 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1<br>
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1<br>
<br>
I find too many people cargo-culting poorly thought cipher lists from<br>
some random HOWTO. Over optimising your cipherlist is subject to<br>
rapid bitrot, resist the temptation...<br>
<br>
-- <br>
Viktor.<br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Sent from Gmail Mobile</div>