Hope this is in the right area.
I am trying to learn the ropes regarding SSL tuning and security.
So far so good - I have disabled SSL2, started to enforce more secure protocols and have started some further testing.
I am now a little confused with regard to RC4
There is this post : http://blog.ivanristic.com/2009/08/is-rc4-safe-for-use-in-ssl.html from 2009 and that suggests RC4 is still OK
and this post : The specified item was not found. from 2013 that suggests not to use RC4 if you are using TLS ( which I am moving towards )
I have signed up for the OpenSSL Cookbook ( Thanks Ivan !! ) but haven't started reading yet.
Onto the point of all this.
Currently my server only supports TLS 1.0 ( an upgrade is planned )
I realise that Cipher suite use is a trade off with performance and the clients that you need to support, but I am having a hard time finding concise list of preferred Cipher suites to use.
Does any one have a good list of Cipher vs Supported clients vs Performance?
Any particular chapter in the Cookbook I should check for details??
As I have only a small client base and performance is not much of an issue at this stage I am enforcing the strongest Ciphers I can however it would be good to have more details for future reference.
Happy to do (much) more reading but as there appears to be so much (mis)information out there - I was hoping someone could point me in the right direction.