nmh-workers
[Top] [All Lists]

Re: [Nmh-workers] TLS with smtp not working for me

2017-05-31 10:27:34
On Wed, 31 May 2017 10:19:37 -0400, Ken Hornstein said:

After some experimentation with openssl s_client, it seems that the
highest level of TLS that the server smtp.uu.se supports is TLS 1.0!
Which is actually kind of surprising to me.  That seems ... wrong,
somehow?  But anway, if you remove the SSL_OP_NO_TLSv1 in abovementioned
line, I think everything will work fine.

I am kind of torn about this.  The stuff I have been seeing is that most
everybody should be moving to TLS 1.1 or greater, and I thought all of
the servers out there had supported this a long time ago.  What do others
think?

4346 The Transport Layer Security (TLS) Protocol Version 1.1. T. Dierks,
     E. Rescorla. April 2006. (Format: TXT=187041 bytes) (Obsoletes
     RFC2246) (Obsoleted by RFC5246) (Updated by RFC4366, RFC4680,
     RFC4681, RFC5746, RFC6176, RFC7465, RFC7507, RFC7919) (Status:
     PROPOSED STANDARD) (DOI: 10.17487/RFC4346)

That RFC is over 11 years old now.

5246 The Transport Layer Security (TLS) Protocol Version 1.2. T. Dierks,
     E. Rescorla. August 2008. (Format: TXT=222395 bytes) (Obsoletes
     RFC3268, RFC4346, RFC4366) (Updates RFC4492) (Updated by RFC5746,
     RFC5878, RFC6176, RFC7465, RFC7507, RFC7568, RFC7627, RFC7685,
     RFC7905, RFC7919) (Status: PROPOSED STANDARD) (DOI:
     10.17487/RFC5246)

And that one is pushing 9.  TLS 1.0 has not been allowed in PCI environments for
over a year now:

https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

I'd say leave the actual code as-is, but add a comment saying what to do if
your mail provider is stuck in the stone age, and a mention in the release 
notes.

Attachment: pgpCvv4Bt8TlE.pgp
Description: PGP signature

_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers
<Prev in Thread] Current Thread [Next in Thread>