Viktor Dukhovni:
So, if you have any data on long-term trends in RC4 use, especially
from a site with a high volume of traffic (1 million messages per
day or more), please post your findings. Is RC4 disappearing from
SMTP TLS, or continuing to be used by laggards resistant to change?
Viktor,
my dataset doesn't completely fit but maybe it help.
I have a submission server used by ~1500 different clients. STARTTLS
is mandatory.
These are mostly exchange servers, majority 2008 or newer.
smtpd_tls_exclude_ciphers = aNULL
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = 3DES
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = encrypt
tls_preempt_cipherlist = yes
I have ~180k TLS connections per day
- 90k DHE-RSA-AES256-SHA
- 87k AES256-SHA
- 3k RC4-SHA
it's a /private/ network with additional access control so I'm fine
with these "unsafe" ciphers here.
Should I remove "smtpd_tls_mandatory_exclude_ciphers = 3DES"
and look how the cipher use change over the next days ?
Andreas
