Gordon Messmer writes:
Sam Varshavchik wrote:Probably won't ditch, but adjust the default settings, so everything should work by default.The point that I tried to illustrate, after doing the testing, was that there's no point to that setting. Nothing can be made better by changing it.
I disagree. One of the reasons -- not the only one, but one of the factors -- that precipitated this whole discussion is because someone had made a reasonable argument that, for policy reasons, they wanted to disable SSL2. Additionally, it is a reasonable position to have a policy that, for example, allowed only DH-based ciphers. As such, access to the underlying SSL knobs is needed. The balance that must be struck is to have reasonable defaults, but yet still allow access to these configuration settings.
http://phantom.dragonsdawn.net/~gordon/courier-tls.htmlI'm still irritated that you couldn't be bothered to save the mime part and look at the test results after I spent the time to do that work. Testing took hours; looking at the results would have taken you two minutes, tops. Some days you can be pretty uncooperative with people who put an honest effort into helping you improve your project.
I'm afraid that most of my daylight hours are spent doing things that allow me to spend only a few hours a day answering my mail. Those are the facts of life, that's simply just the way things are. It's not that I do not appreciate you taking the time to do some research here -- it is very much appreciated -- it's just that a concise, capsule summary of your findings would've worked better for me.
It's fairly clear to me that what needs to be done now is to make the previously-mentioned settings to be the default ones on the server side, and I'm going to do just that. These defaults will be compiled in and used in absence of any explicit settings in the configuration file. And the configuration files will not have any explicit settings by default; although I will not bump the revision labels, so anyone who has them explicitly set will not get a rude surprise after upgrading.
The only thing that remains unclear is what should be the defaults on the client side. There are two distinct cases here: protocol-over-SSL, and STARTTLS-after-protocol, that might require different default settings.
pgp4wz7Cuo2Ne.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
