Date: Fri, 19 Oct 2001 09:52:51 -0400
From: Scott Adkins <[EMAIL PROTECTED]>
Okay, we just got bitten by the Eudora 5.x STARTTLS problem that was
discussed last month. We have the same problem where only those clients
cannot negotiate a TLS connection properly, and thus fails to login at
all. So...
Ken suggested removing or commenting out the following lines:
if (tlsonly) {
off |= SSL_OP_NO_SSLv2;
off |= SSL_OP_NO_SSLv3;
}
I am wondering exactly what effect this will have on us... how does this
affect clients that *do* TLS just fine, such as Mulberry, for instance?
Would the other clients still use TLS and Eudora use SSLv3?
This allows clients to use SSLv2 or SSLv3 after the STARTTLS command.
By default, Cyrus is conformant to the specification and forces TLSv1.
There should be no interoperability problems with removing those
lines.
(Actually, Cyrus is a little nicer than the specification allows,
since it will accept an SSLv2 hello, but it then forces negotiation of
TLSv1.)
Larry
