Am 06.06.25 um 10:21 schrieb Viktor Dukhovni via Exim-users:
On Fri, Jun 06, 2025 at 09:37:27AM +0200, Cyborg via Exim-users wrote:
Exim returns:
TLS session: (SSL_connect): error:0A00018A:SSL routines::dh key too small
when connecting with s_client to that server, a wired connection is
established:
Which specific server?
93.62.204.35
Did you actually connect to the same TCP endpoint (IP and port)?
yeap.
TLS 1.3 Cipher, but TLS 1.2 protocol => should not even work, but it does in
s_client.
Lesson learned, it's also available for TLS 1.2 with RSA Kx
$ openssl ciphers -s -tls1_2 -v AES256-GCM-SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA
Enc=AESGCM(256) Mac=AEAD
that uses deprecated RSA key exchange, instead of DHE or ECDHE. It is
not clear how you ended up negotiating this cipher, because the default
preference order has it well below the usual PFS (DHE/ECDHE) ciphers:
Judging from the TLS version check a few days ago, the cipher is
typically/only used with TLS 1.3 , which makes sense now, because no RSA
Kx is used in TLS 1.3
The cipher is not used in TLS 1.2 connections, at least with the
openssl default setup of Fedora.
In the tls cipher summery from 2017 ( pre TLS 1.3 ), the cipher is also
not listed for TLS 1.2 . (Summery taken with Fedora)
s_client seems to be happy to use it with TLS 1.2, so something else,
i.e. the crypto-policy seems to deny the usage of that cipher with TLS
1.2 in Exim.
I pretty sure, you are right about the RSE Kx limitation , but s_client
should enforce that too???
thats why i wanted to know, which exact arguments are passed by exim to
openssl, i.e. to enforce a higher security level or to exclude specific
ciphers or exchanges. Fedora does not seem to have a special exim
policy for openssl so it's either s_client ignoring the policies or an
extra argument is given.
@Jeremy will know for sure.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
