Killing RC4 (softly)

by Piotr Sikora.

Back in 2011, the BEAST attack on the cipher block chaining (CBC) encryption mode used in TLS v1.0 was demonstrated. At the time the advice of experts (including our own) was to prioritize the use of RC4-based cipher suites.

The BEAST vulnerability itself had already been fixed in TLS v1.1 a few years before, but in 2011 the adoption of TLS v1.1 was virtually non-existent and web server administrators (and companies like CloudFlare) started preferring RC4 over AES-CBC ciphers in order to mitigate the attack.

Fast-forward to 2013 and attacks on RC4 have been demonstrated; that makes the preference for RC4 problematic. Unfortunately, at the time, TLS v1.1 and above still weren't very popular, which meant that we had to make a choice between either the mitigation of BEAST or the RC4 attack.

Since then, all modern browsers have started supporting TLS v1.2, which means that in theory we could support RC4 only for connections using TLS v1.0 in order to protect against BEAST attack and use AES-GCM or AES-CBC for connections using TLS v1.1 and above in order to protect against RC4 attack. Unfortunately, open-source web servers (and OpenSSL) don't allow for such fine-grained control over which ciphers should be supported for which protocol version.

To make that possible, we are releasing a patch for OpenSSL which disables RC4-based cipher suites for connections using TLS v1.1 and above, while leaving them there to protect users still using TLS v1.0.

--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3816,6 +3816,11 @@
                        (TLS1_get_version(s) < TLS1_2_VERSION))
                        continue;

+               /* Disable RC4 for TLS v1.1+ */
+               if ((c->algorithm_enc == SSL_RC4) &&
+                       (TLS1_get_version(s) >= TLS1_1_VERSION))
+                       continue;
+
                ssl_set_cert_masks(cert,c);
                mask_k = cert->mask_k;
                mask_a = cert->mask_a;

SSL Labs have updated their testing to penalize the use of RC4 on TLS v1.1 and v1.2 connections as detailed here. If a site allows RC4 with TLS v1.1 or v1.2 then the following warning will appear in the SSL Labs report:

RC4 Warning

SSL Labs have introduced warnings that will lower a web site's score. Warnings are given for a lack of forward secrecy, missing secure renegotiation, or the use of RC4 on TLS v1.1 and v1.2. Web sites are also heavily penalized for using key sizes below 2048 bits.

Customers of CloudFlare using our SSL options will get an A or A+ rating with no warnings from SSL Labs.

You can download the patch here.

comments powered by Disqus