Am 05.01.2015 um 18:47 schrieb Viktor Dukhovni:
On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote:
With RC4-SHA early enough for the 11-year old Microsoft Exchange
servers.
Sadly, older Exchange servers (2003 at least) will favour 3DES over RC4
for TLS connections, IIRC.
This is not correct.
I don't have the fix we used on hand, as our oldest supported Exchange
version is 2010 these days, but we had an override of some sort that
required forcing 'DES-CBC3-SHA' for that specific box.
You can specify that as 'DES-CBC3-SHA', or select with something like
this;
==
$ openssl ciphers -v 'RSA+3DES'
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
No, this is a bad idea, it is in fact 3DES that is broken with such servers
shouldn't we start to disable RC4 as well as DES-CBC3-SHA for that
horrible outdated crap servers and fallback to unencrypted at all
instead continue to work around them years again?