Es geht um das EXP.
Lese nach unter google:"freak tls".
Was ich aber noch fragen möchte,
reicht(e) es eigentlich, die EXP über die cipher-Konfiguration zu deaktivieren?
In den Artikeln wird immer davon gesprochen, nach dem String "export" in der ssl-Lib zu suchen.
Wenn sich der Angriff per Konfiguration entschärfen ließe, warum wurde dann darauf eigenlich nie Bezug genommen, zBsp. in der Art von sslscan-Ausgaben wie oben.
Oder beruht der Angriff gerade darauf, daß die EXP-Modi trotz einer strengen Konfiguration initiiert werden (konnten)?
EDIT 20150916
Die einfache Deaktivierung per Konfig entschärft den Angriff,
http://www.postfix.org/:
Newsflash
As of July 2015, all supported Postfix releases no longer enable export-grade ciphers, and no longer enable the SSLv2 and SSLv3 protocols. These ciphers and protocols have little if any legitimate use today, and have instead become a vehicle for downgrade attacks. See the announcement for more.
Logjam Attack: this has mostly the same countermeasure as FREAK: disable EXPORT ciphers on the SMTP server side, as described under the next bullet.
FREAK Attack: To protect vulnerable clients execute as root "postconf smtpd_tls_exclude_ciphers=EXPORT; postfix reload". This command removes EXPORT ciphers with opportunistic as well as mandatory TLS. The impact of this attack was already low because each Postfix SMTP server process computes its own own "ephemeral" RSA key and terminates after a limited time.
GHOST Attack: Postfix does not call gethostbyname() since 2005. There is no Postfix code that invokes this function unless Postfix is specifically built for operating systems from more than 10 years ago (this requires the compile-time option "-DNO_IPV6").