Den 17.06.2014 20:59, skrev Viktor Dukhovni: > Thanks for fighting the good fight. In the mean-time, any chance > you could stop fix the misleading TLS support scores starttls.info > issues to soundly configured MTAs? > > * For SMTP, self-signed certificates are as good as CA issued > certificates. The hostname in the certificate is irrelevant. > > * For SMTP servers support for anon-DH cipher-suites is a feature, > not a bug. > > * For opportunistic TLS, even the weakest ciphers are fine, > provided strong ones are preferred when offered. > > Almost every score-lowering observation leading to 43.5% D for > dukhovni.org is wrong. > I talked to Einar today, my friend who made the service on my request. We agreed to simplify the scoring, at first down to "passed" as long as we see starttls support with minimum SSLv3 and no export 40/56bit.
We'll recommend supporting TLSv1.1/2 and using a cert from a TTP, and probably display the preferred cipher suite from the server, if any. Will probably not let this affect scoring in any direction, and inform about your proposal, and recommend DNSSEC deployment in the meantime. Br, Per
