Re: IETF mail server and SSLv3

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 26 February 2016 23:47 UTC

Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Subject: Re: IETF mail server and SSLv3
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <56D0D9A2.9040100@ultrawaves.fr>
Date: Fri, 26 Feb 2016 18:46:46 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <98DDE526-410D-4E40-83E1-083F47715E5A@dukhovni.org>
References: <20160225080725.822301A43E@ld9781.wdf.sap.corp> <B608EA62-EF66-4739-A0BF-42BA9B5FB307@dukhovni.org> <56D0D9A2.9040100@ultrawaves.fr>
To: ietf@ietf.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/KfXTa4SmOSehZm3gCB9oV_Mi8fg>
Precedence: list
Reply-To: ietf@ietf.org

> On Feb 26, 2016, at 6:02 PM, Solarus <solarus@ultrawaves.fr> wrote:
> 
>>> Disabling SSLv3 can not possibly provide any security benefit here,
>>> but may cause interop problems and less security for a few old peers.
>> 
>> Would you then go further and say that SMTP servers should leave SSLv2
>> and/or EXPORT ciphers or single-DES enabled?  If not, why not?
> 
> No.

"No" as in they should not leave SSLv2/EXPORT/1DES enabled?

> But with SMTP, STARTTLS is an opportunistic encryption, if you don't
> support the maximum of ciphers, the other server will send you mails in
> cleartext.
> And it's worse to receive and send mail in cleartext than with a weak
> encryption.

Your rationale seems to contradict the "No" response.

-- 
	Viktor.

Re: IETF mail server and SSLv3 Lixia Zhang
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 John Levine
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
IETF mail server and SSLv3 IETF Chair
Re: IETF mail server and SSLv3 tom p.
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Jari Arkko
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Jari Arkko
Re: IETF mail server and SSLv3 Derek Atkins
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Lixia Zhang
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 Martin Rex
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Solarus
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Solarus
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Martin Rex
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Russ Housley
Re: IETF mail server and SSLv3 Randy Bush
Re: IETF mail server and SSLv3 Stephen Farrell
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Doug Barton
RE: IETF mail server and SSLv3 Christian Huitema