Den 05.01.2015 18:59, skrev li...@rhsoft.net: > > Am 05.01.2015 um 18:47 schrieb Viktor Dukhovni: >> On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote: >> >>>> With RC4-SHA early enough for the 11-year old Microsoft Exchange >>>> servers. >>> >>> Sadly, older Exchange servers (2003 at least) will favour 3DES over RC4 >>> for TLS connections, IIRC. >> >> This is not correct. >> >>> I don't have the fix we used on hand, as our oldest supported Exchange >>> version is 2010 these days, but we had an override of some sort that >>> required forcing 'DES-CBC3-SHA' for that specific box. >>> >>> You can specify that as 'DES-CBC3-SHA', or select with something like >>> this; >>> >>> == >>> $ openssl ciphers -v 'RSA+3DES' >>> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 >> >> No, this is a bad idea, it is in fact 3DES that is broken with such >> servers > > shouldn't we start to disable RC4 as well as DES-CBC3-SHA for that > horrible outdated crap servers and fallback to unencrypted at all > instead continue to work around them years again?
I wouldn't mind name & shame those who are running outdated crap servers, with automail to postmaster or something. Progress is made faster imho that way, instead of trying to be backwards compatible with *anything*. Do plaintext instead. .per