On Feb 25, 2016, at 3:07 AM, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:
I'm sorry, but this information is strange.
There exists *NO* downgrade vulnerability in TLS.
There is a well-known-stupid unprotected "downgrade dance" implemented
in a few web browsers, but that is something entirely different, and
not a property of TLS or SSLv3.
Btw. even SSLv3 still provides *ALL* the security properties officially
documented for TLSv1.2 in rfc5246 Appendix F.
What SSLv3 does not provide, however, is additional protection against
obvious abuses of the TLS protocol beyond its original security goals,
such as by ^SSL VPNs and Web Browsers. For authentication-less
SMTP and programmatic clients, the original scope of TLS is sufficient,
and therefore SSLv3 a perfectly sensible option.
Disabling SSLv3 can not possibly provide any security benefit here,
but may cause interop problems and less security for a few old peers.
Would you then go further and say that SMTP servers should leave SSLv2
and/or EXPORT ciphers or single-DES enabled? If not, why not?
--
Viktor.