Dňa 26. mája 2025 11:49:33 UTC používateľ Viktor Dukhovni via Exim-users <exim-users@lists.exim.org> napísal:
>There are no known practical attacks on 3DES (112-bit keys) and SHA1 >(HMAC) in TLS in the context of SMTP. There are some browser-specific >issues with CBC ciphers because TLS did MAC-then-encrypt rather than >encrypt-then-MAC, but these required scripting many connectiosn to >possibly leak cookie information. These attacks don't apply to SMTP. AFAIK 3DES was deprecated (and disallowed after 2023) by NIST. I believe, that there is some good reason for that... >The SHA1 collision attacks don't apply to TLS, for that you'd need >a 2nd-preimage attacks, which is not even yet known for MD5. Yes, i mixed certficate and its signature here. >This is a reasonable choice for the *generic* application, which is >not doing opportunistic TLS, and possibly shares some of the browser >attack surfaces. It is less compelling for SMTP, but with the passage >of time, as noted above, the impact of dropping support for TLS 1.0/1.1 >is becoming insignificant... I still do not understand one thing: why is as much effort invested to advocate old (deprecated) versions of TLS. I understand, that deprecated doesn't mean disallowed, i understand it as "awoid if possible". And when one decide, that it is possible (or acceptable) to awoid it, where is problem? Theoretical interoperability with old SW? Or the reasons come from bad side of Power? I have some old scanners in job not able to do modern TLS (even one not able TLS at all), i keep dedicated MTA for them and i do not expect, that whole word have to support old things. >So you perhaps (using suitable Exim settings) include "@SECLEVEL=1" >in your cipherlist, or perhaps (if supported) set the protocol floor >to TLSv1.2. I use exim with GnuTLS, because a) it is default in debian and b) i more like GnuTLS configuration. But yes, i have min protocol version setup in both, the OpenSSL and GnuTLS configs on all public accessible hosts/services to TLS1.2 for at least 2 years (on some even longer) where possible. regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
