RC4 deprecation
I think this warrants an issue of its own, as #826 got a bit lengthy.
Current best practices dictate
Implementations MUST NOT negotiate RC4 cipher suites.
I agree with that, but I'm not sure how this would fit into the semver picture, as it's not really an API change itself, but still has the possibilty of breaking connectivity of naive implementations that use the default cipher suite (when the other end of the connection is ancient). Further, the issue is complicated because apparently, our TLS client's ciphers
option was never documented.
Semver says, we can issue deprecation warnings in a semver-minor
, and I think the best course of action would be to document the pending RC4 removal in the release notes and the docs, and finally remove the cipher in 2.0.0
. Does this sound reasonable?