Omair Majid suggested to revise the RC4-related recommendations based on the following resources: https://tools.ietf.org/html/rfc7465 https://bugs.openjdk.java.net/browse/JDK-8076221 http://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/chap-Defensive_Coding-Tasks-Cryptography.html#idm225466783088 http://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-TLS-Client-OpenJDK.html http://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-TLS-Client.html#idm225439762448 For TLS implementations, it may now be possible to rely exclusively on library defaults.
Created attachment 1066632 [details] Java: Use default ciphers list The attached patch fixes it for Java. If you like, I can post patches for other languages too, but I am barely familiar with them (especially when it comes to offering security advice). Are you okay with reviewing possibly broken patches?
I'm closing this bug as part of a Bugzilla cleanup effort. The most likely reason is that the bug has been opened either against a component we no longer publish, or against Release Notes for an EOL release.