On Fri, Sep 30, 2022 at 03:48:18PM +0100, Jeremy Harris via Exim-users wrote:
> OpenSSL 3.0.5 5 Jul 2022 running on Fedora 36 > > I think using the distro standard package > openssl-1:3.0.2-4.fc36.x86_64 > (though I note the numbers don't exactly line up) > > The failure mode is a TLS Alert complaining about version > (I forget the precise wording, sorry) > and followed by what looks like a library internal bug-triggered > error for a BIO operation error. > > Clearing either no_tlsv1_1 or no_sslv3 has no effect. Of course, if there's no support, the CLI flags don't matter. TLS 1.1 does not work with OpenSSL 3.0.5, Though it looks more like a bug to me: $ openssl s_client -quiet -starttls smtp -tls1_1 -connect $(uname -n):25 depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = dnssec-stats.ant.isi.edu verify return:1 C0A1EBA5F27F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2252: Things work better with TLS 1.2: $ openssl s_client -quiet -starttls smtp -tls1_2 -connect $(uname -n):25 depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = dnssec-stats.ant.isi.edu verify return:1 250 CHUNKING QUIT 221 2.0.0 Bye If this is still broken in 3.0.6-dev, a bug report may be appropriate. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/