On Mon, Oct 15, 2018 at 06:56:06PM +0100, Matt Caswell wrote: > > What do you make of the > > idea of making it possible for servers to accept downgrades (to some > > floor protocol version or all supported versions)? > > I'm really not keen on that idea at all.
I understand the healthy skepticism, but it may worthwhile to keep in mind that for SMTP the consequence of not accepting fallback to TLS 1.2, is accepting fallback to cleartext! So protocol downgrade protection looks somewhat silly. The only counter-argument I can think of is that some clients in fact do mandatory authenticated TLS (e.g. with DANE, MTA-STS or local policy), and they will not fall back to cleartext. On the other hand, no MTA I know of does attempts (valid) browser-style protocol fallback after a connection failure. So the clients that insist on security (Postfix, Exim, ...) just defer the mail when the TLS handshake fails. In the SMTP ecosystem enforcing FALLBACK_SCSV is pretty much counter-productive (only reduces security to cleartext for opportunistic clients, and does not at all help non-opportunistic clients get through to servers that don't support TLS 1.3, and fail the handshake if you try). -- Viktor. _______________________________________________ openssl-project mailing list firstname.lastname@example.org https://mta.openssl.org/mailman/listinfo/openssl-project