[exim] Anyone using SSLv2?

Inizio della pagina
Delete this message
Reply to this message
Autore: Phil Pennock
Data:  
To: exim-users
Oggetto: [exim] Anyone using SSLv2?
Folks,

This month, RFC 6176 was published:
Prohibiting Secure Sockets Layer (SSL) Version 2.0

Is there anyone depending upon being able to speak SSLv2 instead of
SSLv3 or TLS to a remote server?

Note: GnuTLS does not implement SSLv2, and never has. So this only
affects OpenSSL users.

You can currently use tls_require_ciphers to exclude SSLv2 ciphers,
which is the common way that most apps handle this.

For some versions of OpenSSL, we can also explicitly disable SSLv2 via
the mechanism exposed as "openssl_options" inside Exim.

I am inclined to make a non-backwards-compatible change to Exim, to:

* explicitly disable SSLv2 by default
* stop setting dont_insert_empty_fragments while I'm losing backwards
compat anyway; this setting, enabled by default, lowers security to
increase compatibility. Now that we expose openssl_options to the
administrator, we should let those who need this option turn it on
and improve security for everyone else.

Objections?
-Phil