[NNTP] RC4 TLS cipher with NNTP
Julien ÉLIE
julien at trigofacile.com
Tue Sep 1 12:46:52 PDT 2015
Hi all,
The recently published RFC 7465 prohibits the use of RC4 cipher suites:
"This document requires that TLS clients and servers never negotiate
the use of RC4 cipher suites."
Yet, our RFC 4642 about the use of TLS with NNTP states:
NNTP client and server implementations MUST implement the
TLS_RSA_WITH_RC4_128_MD5 cipher suite and SHOULD implement the
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA cipher suite. This is
important, as it assures that any two compliant implementations can
be configured to interoperate. All other cipher suites are OPTIONAL.
There is a discrepancy now between these two RFCs. Shouldn't something
be done about that? Interoperability will be broken in NNTP as
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA is not mandatory. Furthermore, that
chipher suite may also become unsecure one day...
--
Julien ÉLIE
« – Nous voyageons plus vite que la lumière !
– Alors comment y voir clair dans tout ça ? » (Astérix)
More information about the ietf-nntp
mailing list