Right after I clicked the send button I've got the feeling that this is a too-old-to-be-true story.
Thanks for the clarification! Laszlo
On Tue, Feb 14, 2012 at 14:55, Michal Trojnara Michal.Trojnara@mirt.netwrote:
Keresztfalvi Laszlo wrote:
2012.02.14 13:13:32 LOG6[87260:136504]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA ENC=RC4(128) Mac=SHA1
RC4 128-bit is not something that considered secure. I don't know why this was choosen but probably this caused that FIPS mode rejected the connection?
Contrary to popular belief, RC4-SHA is probably the most secure ciphersuite available in SSL/TLS. In fact RC4 is the only SSL algorithm not vulnerable to the BEAST attack: http://blog.zoller.lu/2011/09/**beast-summary-tls-cbc-** countermeasures.htmlhttp://blog.zoller.lu/2011/09/beast-summary-tls-cbc-countermeasures.html
On the other hand it is easy to use RC4 in an insecure way. Many products and protocols were broken because RC4 was used incorrectly. This is *not* the case for SSL/TLS. No practical attacks are currently known against RC4-based SSL/TLS.
Mike
______________________________**_________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/**mailman/listinfo/stunnel-usershttp://stunnel.mirt.net/mailman/listinfo/stunnel-users