Re: [courier-users]

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--===============0752395110==
Content-Type: multipart/signed;
boundary="=_mimegpg-commodore.email-scan.com-8349-1204935892-0004";
micalg=pgp-sha1; protocol="application/pgp-signature"

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-8349-1204935892-0004
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Bernd Wurst writes:

> Hi.
>
> The error message in the subject occured when I installed courier 0.58 with
> default configuration files and then connect with openSSL (while connecting
> with gnuTLS worked).
>
> The fix is rather trivial:
>
> TLS_PROTOCOL=SSL23
>
> One could think that setting this to SSL3 is equivalent beacuse noone uses
> SSLv2 any more in real life (remeber, Firefox does not support it any more
> for a long time). But it's not.
>
> When set to SSL23, also TLSv1 is automatically enabled, the comment inside the
> config files is wrong in this point.

The comment in the config files is based on OpenSSL's published
documentation. The fact that OpenSSL's docs are misleading does not surprise
me.

>
>
> Additionally, if you want not to support SSLv2, use this setting:
> TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MED IUM:!EXP:!NULL@STRENGTH"
>
> It disables SSLv2 and all weak ciphers. We run a production server with this
> cipher-list since years and did not get a single complain about that, so it's
> pretty safe to do so.
>
>
> Sam, last year you said that a fallback from TLSv1 to SSLv3 is not possible
> with openssl. With this setup, it is, I tested.

That's good to know.

> Wouldn't it make sense to update the default configuration to be "SSL23" so
> that it works with in-the-wild openssl clients?

No, but I will update the comments. This is one of those things where some
mild pain is beneficial in the long term, of forcing SSL2 onto the ash heap
of history.


--=_mimegpg-commodore.email-scan.com-8349-1204935892-0004
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBH0dzUx9p3GYHlUOIRAnxBAJ9g3pViBhainl0kDmbFq5 nqbHb1cQCfc844
lvN4r3IfBvbKzrUyfjU3b5U=
=qTyV
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-8349-1204935892-0004--


--===============0752395110==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
--===============0752395110==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users

--===============0752395110==--