noxxi
commented
9 years ago RC4 is currently available by default. But it gets used with a very low priority and the cipher order is determined by default by the server. That means you will get RC4 only if you don't support any of the better ciphers. Thus this is a tradeoff between no connectivity and slightly insecure connectivity.
But you are right that it should better be removed completely. I've checked with the top servers according to Alexa and about 30% of them have RC4 disabled, which makes me confident that we don't break too much. Thus RC4 will be disabled in the next release, but only on the server side. On the client side it is still needed because about 1% of the servers I've tested only support RC4.
Leaving SSL_cipher_list out of the options results in the TLS_ECDHE_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_SHA ciphers being used, which leads to a B rating on SSL labs due to the RC4 vulnerability. Passing the following cipher suite fixes this problem:
More information: http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx https://blog.cloudflare.com/killing-rc4-the-long-goodbye/