On 2024-03-13 at 10:56:53 UTC-0400 (Wed, 13 Mar 2024 15:56:53 +0100)
Marco Moock via mailop <m...@dorfdsl.de>
is rumored to have said:
Am 13.03.2024 um 10:43:27 Uhr schrieb Bill Cole via mailop:
Without one, disabling them is a cargo-cult praxis that is worse than
any false sense of security provided to oblivious peers who can't do
TLSv1.2 or better.
What are legitimate reasons today not to use TLS 1.2 or 1.3?
I have no idea what the reasons might be for systems that I do not
manage. Systems that I *do* manage receive legitimate email which is
affirmatively wanted by the intended recipients over TLSv1.0
connections, which is an adequate legitimate reason to allow it, given
that the added risk of allowing all TLS versions is, as far as I can
tell, zero. The hypothetical vulnerabilities for TLSv1.0 and 1.1 I've
tried to research fall apart in the context of SMTP and the ability to
refuse known-weak ciphersuites.
I also have some legacy devices (not ones directly used by humans) which
cannot be updated to use TLSv1.2 and need to send mail very rarely but
when they do, I very much want it. Obviously I *could* treat those as a
set of special cases, but why bother? Such configuration just adds
complexity unnecessarily.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
