Re: [Nmh-workers] TLS with smtp not working for me

[valdis . kletnieks]

On Wed, 31 May 2017 10:19:37 -0400, Ken Hornstein said:

> After some experimentation with openssl s_client, it seems that the
> highest level of TLS that the server smtp.uu.se supports is TLS 1.0!
> Which is actually kind of surprising to me.  That seems ... wrong,
> somehow?  But anway, if you remove the SSL_OP_NO_TLSv1 in abovementioned
> line, I think everything will work fine.
>
> I am kind of torn about this.  The stuff I have been seeing is that most
> everybody should be moving to TLS 1.1 or greater, and I thought all of
> the servers out there had supported this a long time ago.  What do others
> think?

4346 The Transport Layer Security (TLS) Protocol Version 1.1. T. Dierks,
     E. Rescorla. April 2006. (Format: TXT=187041 bytes) (Obsoletes
     RFC2246) (Obsoleted by RFC5246) (Updated by RFC4366, RFC4680,
     RFC4681, RFC5746, RFC6176, RFC7465, RFC7507, RFC7919) (Status:
     PROPOSED STANDARD) (DOI: 10.17487/RFC4346)

That RFC is over 11 years old now.

5246 The Transport Layer Security (TLS) Protocol Version 1.2. T. Dierks,
     E. Rescorla. August 2008. (Format: TXT=222395 bytes) (Obsoletes
     RFC3268, RFC4346, RFC4366) (Updates RFC4492) (Updated by RFC5746,
     RFC5878, RFC6176, RFC7465, RFC7507, RFC7568, RFC7627, RFC7685,
     RFC7905, RFC7919) (Status: PROPOSED STANDARD) (DOI:
     10.17487/RFC5246)

And that one is pushing 9.  TLS 1.0 has not been allowed in PCI environments for
over a year now:

https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

I'd say leave the actual code as-is, but add a comment saying what to do if
your mail provider is stuck in the stone age, and a mention in the release 
notes.

pgpbmDzJlrvup.pgp
Description: PGP signature