On Fri, Sep 30, 2022 at 11:05:57AM -0400, Viktor Dukhovni via Exim-users wrote:
> > Clearing either no_tlsv1_1 or no_sslv3 has no effect. > > Of course, if there's no support, the CLI flags don't matter. TLS 1.1 does > not work with OpenSSL 3.0.5, Though it looks more like a bug to me: > > $ openssl s_client -quiet -starttls smtp -tls1_1 -connect $(uname -n):25 > depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = R3 > verify return:1 > depth=0 CN = dnssec-stats.ant.isi.edu > verify return:1 > C0A1EBA5F27F0000:error:0A0C0103:SSL > routines:tls_process_key_exchange:internal > error:ssl/statem/statem_clnt.c:2252: I just reproduced the problem with a fresh build of 3.0.6-dev from github (built on FreeBSD 12.3): $ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl s_client -starttls smtp -tls1_1 -quiet -connect localhost:25 Can't use SSL_get_servername depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = <...> verify return:1 00C0C60008000000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254: I'll try to find some time to file a bug. Feel free to beat me to it. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/