Dňa 25. mája 2025 18:17:47 UTC používateľ Bill Cole via Exim-users <exim-users@lists.exim.org> napísal:
>> From my point of >> view, first: it is not my problem, it is their decision (to use weak TLS). >> Second, weak TLS is IMO worse than plain text, as it provides false feel >> of protection and i personaly prefer to avoid false feels... > >But there are no weaknesses in TLS v1.0 or v1.1 relative to v1.2 and 1.3 that >are relevant to SMTP sessions. Yes, i read that multiple times from various sources, but to decide properly, we have to ask (and answer) what is TLS version first. I am far from TLS expert, but i understand the TLS as composition of handshake, key exchange, message autentification and data encryption (and perhaps some more). When we take only handshake into account, nothing is wrong with old TLS, but then it differs... As example, from mentioned RFC TLS 1.0 makes mandatory to implement the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, without it that is not TLS 1.0, it can only look as it. Do you really consider 3DES with CBC and SHA1 as secure nowadays? I will more believe to OpenSSL devs, from 3.0 migration guide: The security strength of SHA1 and MD5 based signatures in TLS has been reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the default security level of 1 and instead requires security level 0 regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
