> On Feb 25, 2016, at 3:07 AM, Martin Rex <mrex@xxxxxxx> wrote: > > I'm sorry, but this information is strange. > > There exists *NO* downgrade vulnerability in TLS. > > There is a well-known-stupid unprotected "downgrade dance" implemented > in a few web browsers, but that is something entirely different, and > not a property of TLS or SSLv3. > > Btw. even SSLv3 still provides *ALL* the security properties officially > documented for TLSv1.2 in rfc5246 Appendix F. > > What SSLv3 does not provide, however, is additional protection against > obvious abuses of the TLS protocol beyond its original security goals, > such as by ^SSL VPNs and Web Browsers. For authentication-less > SMTP and programmatic clients, the original scope of TLS is sufficient, > and therefore SSLv3 a perfectly sensible option. > > Disabling SSLv3 can not possibly provide any security benefit here, > but may cause interop problems and less security for a few old peers. Would you then go further and say that SMTP servers should leave SSLv2 and/or EXPORT ciphers or single-DES enabled? If not, why not? -- Viktor.