Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher lis…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Cyborg
Date:  
À: exim-users
Sujet: Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list
Am 28.03.2018 um 11:21 schrieb Mike Brudenell via Exim-users:
> But given that most MTA to MTA traffic uses *opportunistic* encryption,
> falling back to cleartext transfers if no encryption can be agreed between
> the servers, isn't it better to continue to offer and use in such
> situations a weak cipher than none at all?


a) this would give a user the false impression, that "it was secured"
which with bad ciphers it isn't anymore.

b) it's getting even worse:

some mailservers even drop the TLS encrypted connection, if the hostname
in the DNS MX entry does not
match the servers presented certificates DN field, just to revert back
to cleartext transport to the exact same server.

sorry to say this, but the level of dumbness of devs implementing that
logic, isn't measureable anymore.

best regards,
marius