On 15/10/18 20:41, Viktor Dukhovni wrote:
> On Mon, Oct 15, 2018 at 06:56:06PM +0100, Matt Caswell wrote:
>>> What do you make of the
>>> idea of making it possible for servers to accept downgrades (to some
>>> floor protocol version or all supported versions)?
>> I'm really not keen on that idea at all.
> I understand the healthy skepticism, but it may worthwhile to keep
> in mind that for SMTP the consequence of not accepting fallback to
> TLS 1.2, is accepting fallback to cleartext! So protocol downgrade
> protection looks somewhat silly.
> The only counter-argument I can think of is that some clients in
> fact do mandatory authenticated TLS (e.g. with DANE, MTA-STS or
> local policy), and they will not fall back to cleartext. On the
> other hand, no MTA I know of does attempts (valid) browser-style
> protocol fallback after a connection failure. So the clients that
> insist on security (Postfix, Exim, ...) just defer the mail when
> the TLS handshake fails.
> In the SMTP ecosystem enforcing FALLBACK_SCSV is pretty much
> counter-productive (only reduces security to cleartext for opportunistic
> clients, and does not at all help non-opportunistic clients get
> through to servers that don't support TLS 1.3, and fail the handshake
> if you try).
I think we should do more to understand the current problem before going
any further down this route. If this is caused by pre6 or below OpenSSL
clients then I don't think we should be making any changes to
openssl-project mailing list