The issue at hand is whether or not to disable the use of old ciphersuites in
the IETF's use of STARTTLS in SMTP. Irrespective of the reasons we have for
doing that, John's point was and is that it can adverse effect on our ability
to reach everyone who wants to participate.
Has anyone looked at the logs to see how much SSL3 there actually is?
In my logs, which are doubtless not representative of anyone but
they're what I've got, here's what I see for the past six weeks of
starttls on my IPv4 server:
22617 TLS1.2/X.509/AEAD
16791 TLS1.0/X.509/SHA1
2526 TLS1.2/X.509/SHA256
2069 TLS1.2/X.509/SHA384
1058 TLS1.2/X.509/SHA1
339 TLS1.1/X.509/SHA1
232 SSL3.0/X.509/SHA1
147 TLS1.0/X.509/MD5
8 TLS1.0/X.509/SHA256
And here's the past year on my lower volume IPv6 server:
130886 TLS1.2/X.509/AEAD
44172 TLS1.0/X.509/SHA1
6610 TLS1.2/X.509/SHA1
1485 TLS1.1/X.509/SHA1
259 TLS1.2/X.509/SHA384
(The much higher numbers are mostly because gmail sends all their mail
to me over IPv6 with TLS.)
I was surprised to see 237 SSL3 connections, so I looked at the ones
in the past day, all of which are from two servers on a network in
Turkey running ancient versions of Merak, and trying to send me spam.
One is sending spam from the bogus domain globalconferences.org (no A,
AAAA, or MX record) presumably for fake conferences. So at least
here, rejecting SSL3 would only block a little spam.
What do other people see?
R's,
John