[Dovecot] How to disable SSL and TLSv1.1?

Darren Pilgrim list_dovecot at bluerosetech.com
Fri Sep 13 12:45:54 EEST 2013

On 9/11/2013 3:52 PM, Reindl Harald wrote:
> and that is why i said most widely used does not
 > RHEL5:     openssl-0.9.8e
 > RHEL6:     openssl-1.0.0
 > Fedora 17: openssl-1.0.0k
 > Fedora 18: openssl-1.0.1e

RHEL with outdated software bundled?  You don't say. ;)

Let's look at the rest of the world:

Firefox and Thunderbird currently ship with TLS 1.1/1.2 support, but not 
enabled by default.  Mozilla is still working on automatic fallback to 
SSLv3/TLSv1.0.  Firefox 24 supposedly has ability and will enable TLS 
1.1 and 1.2 by default.

On Windows 7, 8, 2008R2 and 2012, the schannel libraries support TLS 1.1 
and 1.2.  Versions of IE, Office, IIS, Exchange, SQL Server et al dating 
to as early as 2010 or so use those schannel library versions.  IE 11 
should have TLS 1.1 and 1.2 enabled by default.  One nice thing: IE 10 
will report the TLS version in the page properties.  For example, 
Google's front page gives "TLS 1.2, AES with 128 bit encryption (High); 
ECDH_P256 with 256 bit exchange".

With Apple, the SecureTransport libraries since 2011 or so supports TLS 
1.1 and 1.2.  That should include iOS 5 and 6 and OS X 10.6+.  Version 
info is hard to find for Apple software, so my apologies if the version 
alignment isn't correct.  Safari has TLS 1.1 and 1.2 enabled by default.

Other things that support TLS 1.1+:

- Google servers
- Facebook
- Twitter
- Cloudflare
- Chrome
- GnuTLS
- Java SSE

I'm not sure we can agree on what comprises the "most widely used" case 
or even at what point we can say TLS 1.1+ is "well supported"; but the 
above is at least a good start.

More information about the dovecot mailing list