[Dovecot] How to disable SSL and TLSv1.1?

Reindl Harald h.reindl at thelounge.net
Fri Sep 13 13:01:23 EEST 2013

Am 13.09.2013 11:45, schrieb Darren Pilgrim:
> On 9/11/2013 3:52 PM, Reindl Harald wrote:
>> and that is why i said most widely used does not
>> RHEL5:     openssl-0.9.8e
>> RHEL6:     openssl-1.0.0
>> Fedora 17: openssl-1.0.0k
>> Fedora 18: openssl-1.0.1e
> RHEL with outdated software bundled?  You don't say. ;)

bulls** - google for LTS

> Let's look at the rest of the world:
> Firefox and Thunderbird currently ship with TLS 1.1/1.2 support, but not enabled by default

so it is nut relevant

> Mozilla is still working on automatic fallback to SSLv3/TLSv1.0.  

off-topic in context of the threads subject

> Firefox 24 supposedly has ability and will enable TLS 1.1 and 1.2 by default.

does not help much

> On Windows 7, 8, 2008R2 and 2012, the schannel libraries support TLS 1.1 and 1.2.  Versions of IE, Office, IIS,
> Exchange, SQL Server et al dating to as early as 2010 or so use those schannel library versions.  IE 11 should have
> TLS 1.1 and 1.2 enabled by default.  One nice thing: IE 10 will report the TLS version in the page properties.  For
> example, Google's front page gives "TLS 1.2, AES with 128 bit encryption (High); ECDH_P256 with 256 bit exchange".

as long the support for Windows XP is active and it comes to business
you have to support it - period

> With Apple, the SecureTransport libraries since 2011 or so supports TLS 1.1 and 1.2.  That should include iOS 5 and
> 6 and OS X 10.6+.  Version info is hard to find for Apple software, so my apologies if the version alignment isn't
> correct.  Safari has TLS 1.1 and 1.2 enabled by default.

that must be te reason for do not using it with Apple Mail i guess
so you need to distinct between theory and the real life
Anonymous TLS connection established from ****: TLSv1 with cipher AES128-SHA (128/128 bits)

and yes postfix logs the TLS version as well the machine in question supports TLS1.2
Anonymous TLS connection established from ****: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

> Other things that support TLS 1.1+:
> - Google servers
> - Facebook
> - Twitter
> - Cloudflare
> - Chrome
> - GnuTLS
> - Java SSE

fine but what helps 1.1 in case someone asks how to disable it - read the subject

> I'm not sure we can agree on what comprises the "most widely used" case or even at what point we can say TLS 1.1+
> is "well supported"; but the above is at least a good start

it's not well supported

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130913/b9470b6a/attachment.bin>

More information about the dovecot mailing list