[openssl-project] FYI: [postfix & TLS1.3 problems]

Viktor Dukhovni openssl-users at dukhovni.org
Mon Oct 15 19:41:06 UTC 2018

On Mon, Oct 15, 2018 at 06:56:06PM +0100, Matt Caswell wrote:

> > What do you make of the
> > idea of making it possible for servers to accept downgrades (to some
> > floor protocol version or all supported versions)?
> I'm really not keen on that idea at all.

I understand the healthy skepticism, but it may worthwhile to keep
in mind that for SMTP the consequence of not accepting fallback to
TLS 1.2, is accepting fallback to cleartext!  So protocol downgrade
protection looks somewhat silly.

The only counter-argument I can think of is that some clients in
fact do mandatory authenticated TLS (e.g. with DANE, MTA-STS or
local policy), and they will not fall back to cleartext.  On the
other hand, no MTA I know of does attempts (valid) browser-style
protocol fallback after a connection failure.  So the clients that
insist on security (Postfix, Exim, ...) just defer the mail when
the TLS handshake fails.

In the SMTP ecosystem enforcing FALLBACK_SCSV is pretty much
counter-productive (only reduces security to cleartext for opportunistic
clients, and does not at all help non-opportunistic clients get
through to servers that don't support TLS 1.3, and fail the handshake
if you try).


More information about the openssl-project mailing list