> On 20 Sep 2021, at 12:24 pm, Andrew C Aitchison via Exim-users <exim-users@???> wrote:
>
> DROWN makes me think it would be sensible not to use the same certificate for SMTP with TLS 1.0 or 1.1
> and any non-SMTP service
> - particularly webmail.
Actually, don't share mail certificates with web certificates, regardless of the
TLS version (even 1.3). There are also application-layer cross protocol attacks
that can cause grief when an HTTP client is talking to an IMAP server, ...
But once you have a dedicated SMTP certificate, there's cause for concern only if
you ignore all the details, and draw the most conservative (dare I say paranoid)
conclusions.
The details matter. TLS 1.0 is not SSL2. It shares the same message structure
and version negotiation mechanisms with TLS 1.2. TLS 1.2 introduces negotiable
signature algorithms (both better and worse!) and a few other minor mostly
positive tweaks, but fundamentally the protocol remains unchanged from 1.0.
The fact that we're talking about opportunistic unauthenticated STARTTLS in
MTA-to-MTA SMTP means that active attacks are out of scope anyway. So TLS
1.0 is harmless, and you can leave it enabled and continue to receive encrypted
email form ~1% of long-tail systems. When that falls below 0.01%, I'll turn it
off. The current TLS 1.0 server population is not yet "negligible" for me, and
supporting these presents no known risk in SMTP.
--
Viktor.
