Hello, I just use another subject for the SNI issue, as this seems to be completly independent from the DANE-Problem with GNU-TLS.
On 2024-07-07 03:10, Viktor Dukhovni via Exim-users wrote: > On Sat, Jul 06, 2024 at 09:44:58PM +0100, Jeremy Harris via Exim-users wrote: > > > Actually, you don't know whether the option was forced. Only the result on > > the > > connection - which you have not described how you evaluated. > > A "tshark" analysis of the connection should be able to reveal all, > since at least the TLS Client Hello is unencrypted even in TLS 1.3, and > this is there the SNI extension appears (ECH aside, which is still > rather bleeding edge, and not currently supported by any MTAs AFAIK). > I did a tcpdump on my test environment, sending mails to a couple of domains, DANE secure, without DANE, but enforcing STARTTLS and such, allowing STARTTLS. I did this three times, using different compiled exims for the same configuration: - the distribution original exim "Exim version 4.96" - my own compiled exim with OpenSSL-GNU from debian "Exim version 4.97.1" - my own compiled exim with self compiled "openssl-3.3.1" "Exim version 4.97.1" all connections were established without using SNI, just a plain "Client Hello" in the dump! I enclose my test configuration, which is almost the debian default. Regards Wolfgang
<<attachment: var-lib-exim4-config.zip>>
-- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/