Mailing List CGatePro@mail.stalker.com Message #106231
From: Christoph Roethlisberger <christoph.roethlisberger@iway.ch>
Subject: Re: SMTP incoming SSL problems
Date: Wed, 26 Oct 2016 10:13:32 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
"CBC Ciphers for old TLS" does only impact TLSv1.0 connections.
And actually it seems to be more secure to use this option than not, when your "Oldest Accepted" protocol is set to SSLv3 or TLSv1.0
As when using the CBC ciphers, most clients that still connect via TLSv1.0 do actually use a more secure cipher suite than otherwise:

------with CBC ciphers enabled-------
Running browser simulations via sockets (experimental)
Android 2.3.7                 TLSv1.0 RC4-MD5
Android 4.0.4                 TLSv1.0 ECDHE-RSA-AES256-SHA
Android 4.1.1                 TLSv1.0 ECDHE-RSA-AES256-SHA
Android 4.2.2                 TLSv1.0 ECDHE-RSA-AES256-SHA
Android 4.3                   TLSv1.0 ECDHE-RSA-AES256-SHA
Baidu Jan 2015                TLSv1.0 ECDHE-RSA-AES256-SHA
IE 7 Vista                    TLSv1.0 AES128-SHA
IE 8 XP                       TLSv1.0 RC4-MD5
IE 8-10 Win 7                 TLSv1.0 ECDHE-RSA-AES256-SHA
IE 10 Win Phone 8.0           TLSv1.0 AES128-SHA
Java 6u45                     TLSv1.0 RC4-MD5
Java 7u25                     TLSv1.0 ECDHE-RSA-AES128-SHA
OpenSSL 0.9.8y                TLSv1.0 DHE-RSA-AES256-SHA
Safari 5.1.9 OS X 10.6.8      TLSv1.0 ECDHE-RSA-AES128-SHA
Safari 6.0.4 OS X 10.8.4      TLSv1.0 ECDHE-RSA-AES256-SHA


------without CBC ciphers enabled-------
Running browser simulations via sockets (experimental)
Android 2.3.7                 TLSv1.0 RC4-MD5
Android 4.0.4                 TLSv1.0 ECDHE-RSA-RC4-SHA
Android 4.1.1                 TLSv1.0 ECDHE-RSA-RC4-SHA
Android 4.2.2                 TLSv1.0 ECDHE-RSA-RC4-SHA
Android 4.3                   TLSv1.0 ECDHE-RSA-RC4-SHA
Baidu Jan 2015                TLSv1.0 ECDHE-RSA-RC4-SHA
IE 7 Vista                    TLSv1.0 RC4-SHA
IE 8 XP                       TLSv1.0 RC4-MD5
IE 8-10 Win 7                 TLSv1.0 RC4-SHA
IE 10 Win Phone 8.0           TLSv1.0 RC4-SHA
Java 6u45                     TLSv1.0 RC4-MD5
Java 7u25                     TLSv1.0 ECDHE-RSA-RC4-SHA
OpenSSL 0.9.8y                TLSv1.0 RC4-SHA
Safari 5.1.9 OS X 10.6.8      TLSv1.0 ECDHE-RSA-RC4-SHA
Safari 6.0.4 OS X 10.8.4      TLSv1.0 ECDHE-RSA-RC4-SHA



My recommendation would be to either set the oldest accepted protocol to TLSv1.1 or leave the CBC ciphers enabled when TLSv1.0 is also used.
Negative impact? I don't see that it could have any.

regards
Christoph Röthlisberger

ps. all tests done with https://testssl.sh/

---------------------------------------------------------
iway AG
christoph.roethlisberger@iway.ch -:- http://www.iway.ch
---------------------------------------------------------

Tuesday, October 25, 2016, 4:35:00 PM, you wrote:

> Danke Christoph

> Funktioniert wunderbar.

> Ich bin gespannt, welche modernen MTAs nun keine E-Mail mehr von der Site empfangen wollen, weil die alte TLS-Variante aktiv ist…



> Gruss
> Marcel

> _______________________________________



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster