From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Thu Dec 11 2008 - 23:25:08 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 11, 2008 at 04:44:08PM -0600, Noel Jones wrote:

> Victor Duchovni wrote:
> >On Thu, Dec 11, 2008 at 03:07:47PM -0600, Noel Jones wrote:
> >
> >>The DES-CBC3-SHA 168 bit cypher seems reasonably common (here,
> >>nearly 10% of connections)
> >
> >SSL with DES-CBC3-SHA is broken in pre-Vista version of Windows,
> >so if a Windows client is using the SSL support in Microsoft's
> >Crypto API, that could be an issue.
> >
>
> I miscounted earlier, my overly-simple grep included things
> such as "EDH-RSA-DES-CBC3-SHA" in the total.
>
> Occurrences of "cipher DES-CBC3-SHA" turn out to be pretty
> rare here - less than 0.1% rather than the 10% I quoted
> earlier. YMMV.
>
> So maybe disabling DES-CBC3-SHA isn't a bad thing, at least
> for testing.

Generally, (unless one disables RC4, is Windows is re-configured to prefer
3DES), the same Windows systems choose RC4-MD5 ahead of all other ciphers,
so the breakage is rarely seen. I would not disable DES-CBC3-SHA on the
Postfix SMTP server, but if sending from Windows, I would fix whatever
registry setting is causing Windows to use its broken implementation.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]