RC4 deprecation

[silverwind]

I think this warrants an issue of its own, as #826 got a bit lengthy.

Current best practices dictate

Implementations MUST NOT negotiate RC4 cipher suites.

I agree with that, but I'm not sure how this would fit into the semver picture, as it's not really an API change itself, but still has the possibilty of breaking connectivity of naive implementations that use the default cipher suite (when the other end of the connection is ancient). Further, the issue is complicated because apparently, our TLS client's ciphers option was never documented.

Semver says, we can issue deprecation warnings in a semver-minor, and I think the best course of action would be to document the pending RC4 removal in the release notes and the docs, and finally remove the cipher in 2.0.0. Does this sound reasonable?

[silverwind]

Also to note: RC4 will not be entirely deprecated unless OpenSSL drops support for it. It just won't be available for negotiation using the default settings.

[silverwind]

Maybe I'm blowing this a bit out of proportion, but I think the removal of RC4 from the default ciphers should happen in a semver-minor at least.

[indutny]

I suggest it to be semver-minor.

[silverwind]

Alright, semver-minor be it then.

[Fishrock123]

Does this mean #826 is semver-minor?

[silverwind]

Yes, please tag it.