On 05 Jan 2015, at 18:47, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote: > >>> With RC4-SHA early enough for the 11-year old Microsoft Exchange >>> servers. >> >> Sadly, older Exchange servers (2003 at least) will favour 3DES over RC4 >> for TLS connections, IIRC. > > This is not correct. > >> I don't have the fix we used on hand, as our oldest supported Exchange >> version is 2010 these days, but we had an override of some sort that >> required forcing 'DES-CBC3-SHA' for that specific box. >> >> You can specify that as 'DES-CBC3-SHA', or select with something like >> this; >> >> == >> $ openssl ciphers -v 'RSA+3DES' >> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 > > No, this is a bad idea, it is in fact 3DES that is broken with such servers. Ah, I remember now ... My bad. You are indeed correct, the override was to disable 3DES altogether for that box. Mvg, Joni