[Dovecot] How to disable SSL and TLSv1.1?
list_dovecot at bluerosetech.com
Fri Sep 13 12:45:54 EEST 2013
On 9/11/2013 3:52 PM, Reindl Harald wrote:
> and that is why i said most widely used does not
> RHEL5: openssl-0.9.8e
> RHEL6: openssl-1.0.0
> Fedora 17: openssl-1.0.0k
> Fedora 18: openssl-1.0.1e
RHEL with outdated software bundled? You don't say. ;)
Let's look at the rest of the world:
Firefox and Thunderbird currently ship with TLS 1.1/1.2 support, but not
enabled by default. Mozilla is still working on automatic fallback to
SSLv3/TLSv1.0. Firefox 24 supposedly has ability and will enable TLS
1.1 and 1.2 by default.
On Windows 7, 8, 2008R2 and 2012, the schannel libraries support TLS 1.1
and 1.2. Versions of IE, Office, IIS, Exchange, SQL Server et al dating
to as early as 2010 or so use those schannel library versions. IE 11
should have TLS 1.1 and 1.2 enabled by default. One nice thing: IE 10
will report the TLS version in the page properties. For example,
Google's front page gives "TLS 1.2, AES with 128 bit encryption (High);
ECDH_P256 with 256 bit exchange".
With Apple, the SecureTransport libraries since 2011 or so supports TLS
1.1 and 1.2. That should include iOS 5 and 6 and OS X 10.6+. Version
info is hard to find for Apple software, so my apologies if the version
alignment isn't correct. Safari has TLS 1.1 and 1.2 enabled by default.
Other things that support TLS 1.1+:
- Google servers
- Java SSE
I'm not sure we can agree on what comprises the "most widely used" case
or even at what point we can say TLS 1.1+ is "well supported"; but the
above is at least a good start.
More information about the dovecot