SSL - Enabling Forward Secrecy with or without RC4

Question

I'm running an Apache 2 server with Ubuntu 16. Here's my current configuration:

SSLProtocol All -SSLv2 -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite

I'm a bit confused as to what I should use for SSLCipherSuite. I'm taking it from this article here: https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

Should I configure it with RC4 or without RC4?

An SSL technician told me that "with RC4" is very weak. I'm wanting to confirm and see if there are other things I should know about it.

Questions:

What is the different between "with RC4" vs "without RC4" and the pros and cons of each?
Which one should I use?

Thanks!

Note that your title does not match your body. In the title you ask only about forward secrecy, in the body only about RC4. — Steffen Ullrich, Feb 17 '18 at 18:03

Steffen Ullrich · Accepted Answer · 2018-02-17T18:08:04.867

Should I configure it with RC4 or without RC4?

Definitely without. From Wikipedia:RC4:

As of 2015, there is speculation that some state cryptologic agencies may possess the capability to break RC4 when used in the TLS protocol. IETF has published RFC 7465 to prohibit the use of RC4 in TLS; Mozilla and Microsoft have issued similar recommendations.

Apart from that you best use the Mozilla SSL Configuration Generator to generate an appropriate TLS configuration for your setup.

I'm taking it from this article here: https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

While I cannot find any date when this article was written it is a shame that DigiCert has still such an article online which explicitly promotes the use of RC4. At least the information regarding RC4 in this article are outdated and following this article would lead to insecure configuration.

SSL - Enabling Forward Secrecy with or without RC4

1 Answers1