[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wed, Oct 15, 2014 at 07:09:40AM +0100, Tom wrote: > On 15/10/14 02:24, Simon Waters wrote: > >Okay, Google they say we should lose SSLv3 ASAP. > > > >So far everything everywhere has gone to TLSv1 or better except... > > > >I have dovecot on Squeeze, and as soon as I disable SSLv3 it says it > >can't get a cipher list together. > > > >I have stunnel working with TLSv1, so I can use than for POP3S and > >IMAP4S, but should dovecot in Squeeze work with TLSv1. > > > >I can't decipher the complexities of the build, but my suspicion is > >"no". Which is a blow for Squeeze support (okay I should have upgraded > >by now). > > > Probably not relevant but just to scare you there are reports of > SSLv3 having a huge hole which is to be fixed soon! Unless I'm missing a joke or something (it's early...), this is what Simon is referring to, isn't it? Details here: https://www.openssl.org/~bodo/ssl-poodle.pdf And yes, it does look nasty. I do think attacking IMAP/POP3 is pretty difficult though, thus making the issue a lot less urgent than on web browsers and servers. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq