On Mon, 03. Jul 2006, 20:50:10 +0200, Julien louis wrote: > On Mon, Jul 03, 2006 at 03:04:08PM +0200, Martin Lambers wrote: > > With the following line: > > > > gnutls-cli -s -p 1025 your.mailserver.com > > GnuTLS should be able to handshake with SSLv3 and TLSv1 hosts. > > > Similar, msmtp/GnuTLS should be able to handshake with a SSLv3 or TLSv1 > > host because it disables neither of these protocols. > > you're right, the problem is on the server side look at the following url: > http://lists.gnupg.org/pipermail/gnutls-dev/2003-December/000603.html > > The problem is the same here tls needs to be disabled to allow connection with > the server.
What should we do about this? Is it really worth it to add a 'tls_disable_tlsv1' command or something similar to work around a buggy server that was already called "really ancient" in Dec. 2003? The security implications of automatically retrying the handshake in SSLv3-only mode if a 'TLS fatal alert' is received are not entirely clear to me. I'd rather stick with gnutls_set_default_priority() and let GnuTLS decide which protocol versions are acceptable. A simple library update could then solve a potential problem if someone someday discovers a serious flaw in SSLv3 or TLSv1.1 or whatever version is current at the time. Would it instead be possible to point the admins of the mail server in question to the problem and kindly ask them to consider an upgrade? Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
