On 05 Jan 2015, at 18:59, li...@rhsoft.net wrote: > Am 05.01.2015 um 18:47 schrieb Viktor Dukhovni: >> On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote: >> >>>> With RC4-SHA early enough for the 11-year old Microsoft Exchange >>>> servers. >>> >>> Sadly, older Exchange servers (2003 at least) will favour 3DES over RC4 >>> for TLS connections, IIRC. >> >> This is not correct. >> >>> I don't have the fix we used on hand, as our oldest supported Exchange >>> version is 2010 these days, but we had an override of some sort that >>> required forcing 'DES-CBC3-SHA' for that specific box. >>> >>> You can specify that as 'DES-CBC3-SHA', or select with something like >>> this; >>> >>> == >>> $ openssl ciphers -v 'RSA+3DES' >>> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 >> >> No, this is a bad idea, it is in fact 3DES that is broken with such servers > > shouldn't we start to disable RC4 as well as DES-CBC3-SHA for that horrible > outdated crap servers and fallback to unencrypted at all instead continue to > work around them years again?
Exchange 2003 has been EOL since May 2014, and Exchange 2007 and higher should not have this problem if deployed on Windows Server 2008 or up, as the core dependency is not Exchange but the Schannel component. For Exchange 2007 on Windows Server 2003, if those exist; Windows Server 2003 will be EOL on July 14th this year, so I would suggest keeping the workaround (disabling 3DES for the SMTP client) active till then, announce that support will be phased out at least three months in advance, and then drop it like a rock at the end of July. Because by that time, they really shouldn't be directly connected to the Internet anymore, or at the very least paying a premium to keep the workarounds in place :-/ Mvg, Joni
