[openssl-users] RC4-MD5

Jeffrey Walton noloader at gmail.com
Wed Jul 8 17:57:37 UTC 2015

On Wed, Jul 8, 2015 at 1:24 PM, Rajeswari K <raji.kotamraju at gmail.com> wrote:
> Hello Openssl team,
> We are currently facing an issue with RC4-MD5 cipher suite after upgrading
> from openssl0.9.8q to openssl1.0.1j.
> We see that on few platforms, RC4-MD5 cipher negotiation is returning bad
> mac record error after receiving "Client Key Exchange" message.

I've seen it the other way: 0.9.8 produces a bad mac; while 1.0 clears
the issue.

> Currently we are using proprietary md5 functions with following
> configuration .
> ...
>  Is there any consideration for MD5 based on platform bits? Can anyone
> share?

Just bike shedding, but these are the two ciphers that browsers are
targeting for deprecation. See, for example,

The time might be better spent on avoiding both RC4 and MD5. That will
keep your users out of of those browser security UX prompts that they
don't know how to answer.

But like I said, its just bike shedding.

More information about the openssl-users mailing list