Re: IETF mail server and SSLv3

"John Levine" <johnl@taugh.com> Fri, 05 February 2016 21:11 UTC

Date: Fri, 05 Feb 2016 21:10:42 -0000
Message-ID: <20160205211042.74052.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: IETF mail server and SSLv3
In-Reply-To: <01PWBMOLI82000008P@mauve.mrochek.com>
Organization:
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/ScHCkrw8SHrov6uDTzxEXZ1BVgI>
Cc: ned+ietf@mauve.mrochek.com
Precedence: list

>The issue at hand is whether or not to disable the use of old ciphersuites in
>the IETF's use of STARTTLS in SMTP. Irrespective of the reasons we have for
>doing that, John's point was and is that it can adverse effect on our ability
>to reach everyone who wants to participate. 

Has anyone looked at the logs to see how much SSL3 there actually is?
In my logs, which are doubtless not representative of anyone but
they're what I've got, here's what I see for the past six weeks of
starttls on my IPv4 server:

22617 TLS1.2/X.509/AEAD
16791 TLS1.0/X.509/SHA1
2526 TLS1.2/X.509/SHA256
2069 TLS1.2/X.509/SHA384
1058 TLS1.2/X.509/SHA1
 339 TLS1.1/X.509/SHA1
 232 SSL3.0/X.509/SHA1
 147 TLS1.0/X.509/MD5
   8 TLS1.0/X.509/SHA256

And here's the past year on my lower volume IPv6 server:

130886 TLS1.2/X.509/AEAD
44172 TLS1.0/X.509/SHA1
6610 TLS1.2/X.509/SHA1
1485 TLS1.1/X.509/SHA1
 259 TLS1.2/X.509/SHA384

(The much higher numbers are mostly because gmail sends all their mail
to me over IPv6 with TLS.)

I was surprised to see 237 SSL3 connections, so I looked at the ones
in the past day, all of which are from two servers on a network in
Turkey running ancient versions of Merak, and trying to send me spam.
One is sending spam from the bogus domain globalconferences.org (no A,
AAAA, or MX record) presumably for fake conferences.  So at least
here, rejecting SSL3 would only block a little spam.

What do other people see?

R's,
John

Re: IETF mail server and SSLv3 Lixia Zhang
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 John Levine
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
IETF mail server and SSLv3 IETF Chair
Re: IETF mail server and SSLv3 tom p.
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Jari Arkko
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Jari Arkko
Re: IETF mail server and SSLv3 Derek Atkins
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 ned+ietf
Re: IETF mail server and SSLv3 Lixia Zhang
Re: IETF mail server and SSLv3 John C Klensin
Re: IETF mail server and SSLv3 Martin Rex
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Solarus
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Solarus
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Martin Rex
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Russ Housley
Re: IETF mail server and SSLv3 Randy Bush
Re: IETF mail server and SSLv3 Stephen Farrell
Re: IETF mail server and SSLv3 Phillip Hallam-Baker
Re: IETF mail server and SSLv3 Viktor Dukhovni
Re: IETF mail server and SSLv3 Doug Barton
RE: IETF mail server and SSLv3 Christian Huitema