https://bugs.exim.org/show_bug.cgi?id=2872
--- Comment #10 from Jeremy Harris <jgh146...@wizmail.org> --- (In reply to help from comment #8) > > This is less than useful, it means a server cannot restrict the 1.3 ciphers > > it offers yet still offer both 1.3 and 1.2 service with a single > > configuration. > > With a single configuration? Yes. With a single configuration, no. It doesn't work (in a reasonable way). > Once a TLS 1.3 session is negotiated, there is no possibility for it to > become a TLS 1.2 session anymore. For good reasons! (Security) Misconception. A 1.3 connection is not negotiated, with the attempted matching of 1.3 configurations, even though there is a matching 1.2 cipher available. No TLS connection is successfully made. The server refuses the TLS connection. Result, for SMTP: either a) (when one end insists on TLS or nothing) no SMTP communication OR b) SMTP standard downgrade to in-clear communications. It's not a good situation. And making the facility in Exim config to restrict the 1.3 ciphersuites makes the occurrence of the problem combination more likely - because administrators of systems will make different choices - which will mean more support queries, and perception of Exim being unreliable. For what it's worth, OpenSSL and GnuTLS do the same here. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
