: I've seen zero discussion of the extent of broken vs. conforming
: implementations in groups that are frequented by SMTP implementors.
: All I've seen is your claim that most client implementations fail to
: follow the spec in sending TLS 1.0 Hello messages. No offense,
: but I don't think that's sufficient justification to change the spec.
[Please excuse me if I don't have the full story here, but this crept over
onto ietf-smtp from ietf-apps-tls, and I think something's been missed here.
I'm making this response under the assumption, gleaned from the context of
the crossposts, that the currently draft SMTP-TLS spec says that TLS 1.0 is
required and SSL 2.0/3.0 is not sufficient for a client.]
One very important thing to note is that clients on Microsoft's rather
popular OS family (as much as I loathe it personally) will *not* use TLS 1.0
at all, by default.
The reason for this is that the MS crypto APIs provide SSL/TLS functionality
built-in, and Win32-native client programs typically use them with default
settings -- which are the settings in Internet Exploder, where TLS 1.0 is
still not enabled by default as of version 5.5. (Only SSL 2.0 and SSL 3.0
are; much to my surprise for a Microsoft product, MS's own proprietary "PCT
1.0" isn't turned on by default either. 8-)
--
-- Todd Vierling (tv(_at_)pobox(_dot_)com)