Folks, This month, RFC 6176 was published: Prohibiting Secure Sockets Layer (SSL) Version 2.0
Is there anyone depending upon being able to speak SSLv2 instead of SSLv3 or TLS to a remote server? Note: GnuTLS does not implement SSLv2, and never has. So this only affects OpenSSL users. You can currently use tls_require_ciphers to exclude SSLv2 ciphers, which is the common way that most apps handle this. For some versions of OpenSSL, we can also explicitly disable SSLv2 via the mechanism exposed as "openssl_options" inside Exim. I am inclined to make a non-backwards-compatible change to Exim, to: * explicitly disable SSLv2 by default * stop setting dont_insert_empty_fragments while I'm losing backwards compat anyway; this setting, enabled by default, lowers security to increase compatibility. Now that we expose openssl_options to the administrator, we should let those who need this option turn it on and improve security for everyone else. Objections? -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
