Hi. The error message in the subject occured when I installed courier 0.58 with default configuration files and then connect with openSSL (while connecting with gnuTLS worked).
The fix is rather trivial: TLS_PROTOCOL=SSL23 One could think that setting this to SSL3 is equivalent beacuse noone uses SSLv2 any more in real life (remeber, Firefox does not support it any more for a long time). But it's not. When set to SSL23, also TLSv1 is automatically enabled, the comment inside the config files is wrong in this point. Additionally, if you want not to support SSLv2, use this setting: TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:[EMAIL PROTECTED]" It disables SSLv2 and all weak ciphers. We run a production server with this cipher-list since years and did not get a single complain about that, so it's pretty safe to do so. Sam, last year you said that a fallback from TLSv1 to SSLv3 is not possible with openssl. With this setup, it is, I tested. Wouldn't it make sense to update the default configuration to be "SSL23" so that it works with in-the-wild openssl clients? regards, Bernd
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
