Viktor Dukhovni wrote:
On Tue, Feb 02, 2016 at 09:00:02PM -0500, Derek Atkins wrote:
Have you disabled non-TLS SMTP transport, too?
That would clearly be premature.
If not, isn't there a chance that disabling SSLv3 will cause *SOME*
email to fallback to non-encrypted?
A very small chance, but given the rapidly diminishing and already
negligible fraction of systems that are only capable of SSLv3, this
is an acceptable cost of reducing the attack surface and opportunities
for downgrade and other attacks against the vast majority of
remaining systems.
I'm sorry, but this information is strange.
There exists *NO* downgrade vulnerability in TLS.
There is a well-known-stupid unprotected "downgrade dance" implemented
in a few web browsers, but that is something entirely different, and
not a property of TLS or SSLv3.
Btw. even SSLv3 still provides *ALL* the security properties officially
documented for TLSv1.2 in rfc5246 Appendix F.
What SSLv3 does not provide, however, is additional protection against
obvious abuses of the TLS protocol beyond its original security goals,
such as by ^SSL VPNs and Web Browsers. For authentication-less
SMTP and programmatic clients, the original scope of TLS is sufficient,
and therefore SSLv3 a perfectly sensible option.
Disabling SSLv3 can not possibly provide any security benefit here,
but may cause interop problems and less security for a few old peers.
-Martin