RC4 deprecation #844
Comments
|
Also to note: RC4 will not be entirely deprecated unless OpenSSL drops support for it. It just won't be available for negotiation using the default settings. |
|
Maybe I'm blowing this a bit out of proportion, but I think the removal of RC4 from the default ciphers should happen in a |
|
I suggest it to be |
|
Alright, |
|
Does this mean #826 is |
|
Yes, please tag it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I think this warrants an issue of its own, as #826 got a bit lengthy.
Current best practices dictate
I agree with that, but I'm not sure how this would fit into the semver picture, as it's not really an API change itself, but still has the possibilty of breaking connectivity of naive implementations that use the default cipher suite (when the other end of the connection is ancient). Further, the issue is complicated because apparently, our TLS client's
ciphersoption was never documented.Semver says, we can issue deprecation warnings in a
semver-minor, and I think the best course of action would be to document the pending RC4 removal in the release notes and the docs, and finally remove the cipher in2.0.0. Does this sound reasonable?The text was updated successfully, but these errors were encountered: