About TLS cipher suites


#1

Hi! I find that some of DreamHost servers only support RC4 cipher suites, such as whatwg.org (ps20323.dreamhost.com) [1]. RC4 is now considered a weak cipher. IETF is going to prohibit using RC4 in TLS [2]. IE 11 doesn’t offer RC4 in the initial TLS handshake [3], and Firefox will do the same [4]. It is expected that browsers will completely disable RC4 in the near future [5].

So could DreamHost please consider enabling some cipher suites other than RC4, such as AES, on your hosts? Thanks!

[1] https://www.ssllabs.com/ssltest/analyze.html?d=whatwg.org
[2] https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-01
[3] https://technet.microsoft.com/library/security/2868725
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1124039
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=999544


#2

RFC 7465 officially prohibits the use of RC4 [1]. Does DreamHost plan to update the cipher suites accordingly?

[quote] This document requires that Transport Layer Security (TLS) clients
and servers never negotiate the use of RC4 cipher suites when they
establish connections. This applies to all TLS versions.[/quote]

[1] https://tools.ietf.org/html/rfc7465


#3

It looks as though the site you were testing was on a DreamHost VPS that hasn’t been upgraded to Ubuntu yet. Upgrading the VPS to Ubuntu will install a newer version of OpenSSL, which will make much better cipher suites available.