Re: [exim] POODLE advisory from exim-announce

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni
Date:  
À: exim-users
Sujet: Re: [exim] POODLE advisory from exim-announce
On Wed, Oct 29, 2014 at 05:06:32AM +0000, Phil Pennock wrote:

> > > Which clients are you trying to use?
>
> > The Only chiphers that works, is "tls_require_ciphers expands to SECURE256:!VERS-SSL3.0"
> > But now i am getting trouble with a client software saying, that it could not negotiate a proper chipher suite.....
> >
> > "TLS error on connection from android.mywireless [192.168.xxx.xxx] (gnutls_handshake): Could not negotiate a supported cipher suite"
>
> Okay, that gets us a little closer to answering the question which was
> asked, which was "which clients are you trying to use".
>
> I think that you're using Android 2.2 or older, so you don't have TLS
> support. Thus you can't disable SSLv3 in the servers you care about.
> For HTTPS, this is a severe problem, for SMTP it's not (yet).


Also possible that "SECURE256" is simply too restrictive, and the
peer does not support ciphersuites that strong. What's wrong with
"NORMAL:!VERS-SSL3.0"? Surely if "SECURE256" is understood, "NORMAL"
is likely to prove more interoperable.

-- 
    Viktor.