On Sun, Oct 26, 2025 at 01:56:21PM +0100, Thomas Krichel via Exim-users wrote:
> Thank you for this. I went ahead with a test
>
> host=helos.openlib.org
> (sleep 2; printf 'QUIT\r\n') | openssl s_client -starttls smtp -connect
> $host:25 -groups "*X25519MLKEM768:*X25519:P-256:ffdhe3072" -state -brief
>
> yields
>
> Connecting to 95.216.245.19
> SSL_connect:before SSL initialization
> SSL_connect:SSLv3/TLS write client hello
> SSL_connect:SSLv3/TLS write client hello
> SSL_connect:SSLv3/TLS read server hello
> SSL_connect:TLSv1.3 read encrypted extensions
> depth=0 CN=openlib.org
> verify error:num=10:certificate has expired
> notAfter=Aug 11 03:22:54 2025 GMT
> notAfter=Aug 11 03:22:54 2025 GMT
...
Your server is fine, the client did not get stuck immediately after
sending the TLS Client Hello. If you're testing from "inside" your
firewall, it may be useful to try the same test from a "remote" client.
> I do have letsencrypt DNS wildcard certificates for my openlib.org,
> and they are rotated, but I have not made use of them in exim, and I
> have not seen an instruction set on how to do this. I suspect I am
> not the only amateurish little eximician like this. I pointer to a good
> resource on what to do would be much welcome.
The command-line I posted does not bother specifying a trust-store to
verify the certificates, so certificate verification errors are to be
expected. The point of the exercise was to check that large TLS Client
Hello messages don't break the handshake. Your server is fine.
You can test certificate validity with other more mainstream tools or
recipes.
--
Viktor. 🇺🇦 Слава Україні!
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
