Re: [exim] Anyone using SSLv2?

Top Page
Delete this message
Reply to this message
Author: Martin Hepworth
Date:  
To: exim-users
Subject: Re: [exim] Anyone using SSLv2?
I am at work , but not for email so that not a problem for exim ;-)

<grumble>
work still has customers on IE6 pre SP2, yup you guessed it all are
local/central govmnt!
</grumble>

--
Martin Hepworth
Oxford, UK


On 22 March 2011 11:19, Phil Pennock <pdp@???> wrote:

> Folks,
>
> This month, RFC 6176 was published:
> Prohibiting Secure Sockets Layer (SSL) Version 2.0
>
> Is there anyone depending upon being able to speak SSLv2 instead of
> SSLv3 or TLS to a remote server?
>
> Note: GnuTLS does not implement SSLv2, and never has. So this only
> affects OpenSSL users.
>
> You can currently use tls_require_ciphers to exclude SSLv2 ciphers,
> which is the common way that most apps handle this.
>
> For some versions of OpenSSL, we can also explicitly disable SSLv2 via
> the mechanism exposed as "openssl_options" inside Exim.
>
> I am inclined to make a non-backwards-compatible change to Exim, to:
>
> * explicitly disable SSLv2 by default
> * stop setting dont_insert_empty_fragments while I'm losing backwards
> compat anyway; this setting, enabled by default, lowers security to
> increase compatibility. Now that we expose openssl_options to the
> administrator, we should let those who need this option turn it on
> and improve security for everyone else.
>
> Objections?
> -Phil
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>