On Mon, Nov 30, 2020 at 07:40:34PM -0500, Keith Moore wrote:
> I've been thinking something like this also. But IMO there are still
> valid cases for negotiating older versions of TLS on the public
> Internet, such as the mail relaying case mentioned earlier. So far I
> haven't thought of a reason where either (a) bouncing an email message;
> (b) resending it in cleartext; or (c) discarding it, is better than
> relaying with TLS 1.0 or 1.1. (Though maybe there aren't enough MTAs
> that do opportunistic TLS using version <= 1.1 to matter.)
For lack of any known substantive downgrade attacks against STARTTLS in
SMTP relay from TLS 1.2 to TLS 1.0, I've no immediate plans to disable
default support for TLS 1.0 in Postfix. For opportunistic TLS the
effect of that would be to send in cleartext rather TLS 1.0, which seems
unnecessary at present.
SMTP servers that support DANE have been steadily moving away from TLS
1.0, but these are presumably operated by folks who pay extra attention
to security, and are not representative of the long tail of folks who
leave "well enough" alone. My most negotiated TLS version stats for
SMTP servers supporting DANE are:
TLS 1.3: 9064
TLS 1.2: 7239
TLS 1.1: 0
TLS 1.0: 27
Two years ago, they were:
TLS 1.3: 204
TLS 1.2: 3561
TLS 1.1: 2
TLS 1.0: 35
The trend is definitely towards TLS 1.3, and away from TLS 1.0, but
the long tail takes time to fade away.
So at some point it might make sense to disable TLS 1.0 support by
default, and some users are choosing to do it early by overriding the
defaults, but I am not convinced the pros outweight the cons today.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
