On Tue, Jun 17, 2014 at 09:09:31PM +0200, Per Thorsheim wrote:
> Den 17.06.2014 20:59, skrev Viktor Dukhovni:
>
> > Thanks for fighting the good fight. In the mean-time, any chance
> > you could stop fix the misleading TLS support scores starttls.info
> > issues to soundly configured MTAs?
>
> I talked to Einar today, my friend who made the service on my request.
> We agreed to simplify the scoring, at first down to "passed" as long as
> we see starttls support with minimum SSLv3 and no export 40/56bit.
That's still too rigid for opportunistic TLS, Postfix servers
currently and for the forseeable future explicitly default to
support export and low grade ciphers, because again, these are
strictly better than cleartext. What reason is there to disable
them?
Pass, means implements STARTTLS, brownie points for PFS support.
The rest is at best misleading to down-right counter-productive.
> We'll recommend supporting TLSv1.1/2 and using a cert from a TTP, and
> probably display the preferred cipher suite from the server, if any.
If you want people to throw cash away, just publish appropriate
charities for people to donate money to. Throwing the money away
on certificates nobody checks seems silly.
> Will probably not let this affect scoring in any direction, and inform
> about your proposal, and recommend DNSSEC deployment in the meantime.
Please make substantially more radical changes, that take into account
that opportunistic TLS in SMTP is very different from TLS in HTTPS.
--
Viktor.
