On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote:
> > With RC4-SHA early enough for the 11-year old Microsoft Exchange
> > servers.
>
> Sadly, older Exchange servers (2003 at least) will favour 3DES over RC4
> for TLS connections, IIRC.
This is not correct.
> I don't have the fix we used on hand, as our oldest supported Exchange
> version is 2010 these days, but we had an override of some sort that
> required forcing 'DES-CBC3-SHA' for that specific box.
>
> You can specify that as 'DES-CBC3-SHA', or select with something like
> this;
>
> ==
> $ openssl ciphers -v 'RSA+3DES'
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
No, this is a bad idea, it is in fact 3DES that is broken with such servers.
--
Viktor.
