[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] TLS with smtp not working for me
|
From: |
Ken Hornstein |
|
Subject: |
Re: [Nmh-workers] TLS with smtp not working for me |
|
Date: |
Wed, 31 May 2017 11:38:03 -0400 |
>Is it possible for the client (nmh) to control which ciphers it will
>negotiate with the server?
It's certainly possible for a client to specify a cipher list via the
OpenSSL API. This is not a knob I have wanted to expose, though, just
for the sake of complexity (the programming isn't hard; it's one API
call, but all of the other stuff surrounding it would be a pain, and
then there is the issue of documentation ....).
But as Valdis points out, the issue really isn't the cipher list, it's
TLS 1.0 itself. I'm still surprised that in 2017 the main SMTP server
for a large university would support TLS 1.0 as the _highest_ protocol.
I can understand supporting TLS 1.0 in addition to TLS 1.1 and 1.2 to
handle support for older clients, but NOT supporting TLS 1.1 or 1.2
seems crazy to me. That almost seems like a misconfiguration to me.
As Valdis's SECOND note says, the issues with TLS 1.0 have been around
for a while, and I think when I wrote the nmh netsec layer that's what
I had found and I figured it made sense for nmh to be up-to-date when
it came to security for once.
I welcome other thoughts on this topic.
--Ken