diff --git a/CHANGELOG b/CHANGELOG
index 93ab11628..8944a7510 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] ssl-enum-ciphers will cap the score of an RC4-ciphersuite handshake at
+  C and output a warning referencing RFC 7465.
+
 o Changed libdnet-stripped to avoid bailing completely when an interface is
   encountered with an unsupported hardware address type. Caused "INTERFACES:
   NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address
diff --git a/nselib/tls.lua b/nselib/tls.lua
index 88aa72d81..9edfbd118 100644
--- a/nselib/tls.lua
+++ b/nselib/tls.lua
@@ -1076,6 +1076,11 @@ function cipher_info (c)
     info.size = tonumber(tokens[i])
   end
 
+  -- Other key size overrides
+  if info.cipher == "RC4" then -- RFC 7465 prohibits RC4 in TLS
+    info.size = math.min(info.size or 80, 80) -- Equivalently caps to C grade?
+  end
+
   -- hash
   if info.mode == "CCM" then
     info.hash = "SHA256"
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 36a3bceb5..fb9b102f6 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -492,8 +492,8 @@ local function find_ciphers_group(host, port, protocol, group, scores)
             end
             if protocol == "SSLv3" and  info.mode and info.mode == "CBC" then
               scores.warnings["CBC-mode cipher in SSLv3 (CVE-2014-3566)"] = true
-            elseif info.cipher == "RC4" and tls.PROTOCOLS[protocol] >= 0x0302 then
-              scores.warnings["Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation"] = true
+            elseif info.cipher == "RC4" then
+              scores.warnings["Broken cipher RC4 is deprecated by RFC 7465"] = true
             end
             local kex = tls.KEX_ALGORITHMS[info.kex]
             local extra, kex_strength