[Dovecot] How to disable SSL and TLSv1.1?

Sat Sep 14 03:39:49 EEST 2013


Am 13.09.2013 22:36, schrieb Darren Pilgrim:
> This has kind of wandered out of the scope of the list

i don't think so because having a question in public
means also everyone reads it understands the real
usefulness

> On 9/13/2013 3:01 AM, Reindl Harald wrote:
>> Am 13.09.2013 11:45, schrieb Darren Pilgrim:
>>> On 9/11/2013 3:52 PM, Reindl Harald wrote:
>>>> and that is why i said most widely used does not
>>>>
>>>> RHEL5:     openssl-0.9.8e
>>>> RHEL6:     openssl-1.0.0
>>>> Fedora 17: openssl-1.0.0k
>>>> Fedora 18: openssl-1.0.1e
>>>
>>> RHEL with outdated software bundled?  You don't say. ;)
>>
>> bulls** - google for LTS
> 
> My point is that you don't have to use the stock libraries.  My *nix of choice, FreeBSD, still has 0.9.8 in the
> current releases.  Luckily there's 1.0.1e in ports and the framework makes it easy to switch port builds between
> the base and port libraries.  There are 1.0.1e packages for every Linux distro I've checked.

my point is that it does not help much if you have the best of all available
encryptions on your IMAP server because all the messages you receive pass the
wire and since you can't disable SSL/TLSv1.0/TLS1.1 on the MTA side or
if you do so you receive a lot of messages *completly unecnrypted* because
the sending MTA falls back

>>> Firefox and Thunderbird currently ship with TLS 1.1/1.2 support,
>>> but not enabled by default
>>
>> so it is nut relevant
> 
> How is TLS 1.1 and 1.2 support in one of the most popular suites of software not relevant? 

"but not enabled by default" is not relevant in the reality except
you are the only user of your private server and even if see above

what benefit do you have from TLS1.2 if the message passed the wire
with SSL3 or unencrpyted at all

> Sure, it's not enabled by default, but those of us working proactively can enable it

taht will not go to happen for the majority of users

> On by default simply means the feature has matured to the point where the cost of 
> supporting the general userbase is reasonably small.

on by default means the ordinary users will use it
off by default means the ordinary users will not use it

>> as long the support for Windows XP is active and it comes to business
>> you have to support it - period
> 
> Yeah I know.  Fortunately XP is EoS in less than a year.  

and until then it doe snot help much

I will be very happy to see it and all of it creaky
> legacy inanity go away.

me too, and if it's only about having SSL-webhosts without a dedicated IP
currently you can't use SNI in case of business websites as well as you
can't disable SSL/TLS1.1/TLS1.2 as long you have potentially customers
with WinXP/Outlook2003 and as long they are supported with updates you
can't force a customer to upgrade

>> fine but what helps 1.1 in case someone asks how to disable it - read
>> the subject
> 
> The subject line should have read TLSv1.0.  Sorry for the typo.  
> FWIW, the body of my original email correctly said
> I wanted to disable TLSv1.0, not 1.1

while it's not that hardliner attitude to at least support TLS1.1 i think
i explained now well the non existing benefits in what you are doing if
you think about the complete way a e-mail goes and in case you are not
the only user of the server it's impossible to do so without lose
customers or get a lot of complaints until you revert the settings

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130914/cdaf11d7/attachment.bin>