I am at work , but not for email so that not a problem for exim ;-) <grumble> work still has customers on IE6 pre SP2, yup you guessed it all are local/central govmnt! </grumble>
-- Martin Hepworth Oxford, UK On 22 March 2011 11:19, Phil Pennock <[email protected]> wrote: > Folks, > > This month, RFC 6176 was published: > Prohibiting Secure Sockets Layer (SSL) Version 2.0 > > Is there anyone depending upon being able to speak SSLv2 instead of > SSLv3 or TLS to a remote server? > > Note: GnuTLS does not implement SSLv2, and never has. So this only > affects OpenSSL users. > > You can currently use tls_require_ciphers to exclude SSLv2 ciphers, > which is the common way that most apps handle this. > > For some versions of OpenSSL, we can also explicitly disable SSLv2 via > the mechanism exposed as "openssl_options" inside Exim. > > I am inclined to make a non-backwards-compatible change to Exim, to: > > * explicitly disable SSLv2 by default > * stop setting dont_insert_empty_fragments while I'm losing backwards > compat anyway; this setting, enabled by default, lowers security to > increase compatibility. Now that we expose openssl_options to the > administrator, we should let those who need this option turn it on > and improve security for everyone else. > > Objections? > -Phil > > -- > ## List details at http://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
