A slightly nicer tool than just using "openssl s_client" is testssl.sh, handles STARTTLS and some other non-trivial cases.
https://testssl.sh/ Back when I first used it I did read the source, these days at ~650k of shell script, that's a little less practical. On 12/4/21 10:58 pm, Bjørn Mork wrote: > OK, so that email bounced. Or will eventually because this does not go > away with someone doing something: > > <dmi...@interhost.net>... Deferred: 403 4.7.0 TLS handshake failed. > > I am posting this in public because it unfortunately is a very common > problem. > > Debian buster was released on July 6th, 2019. It includes openssl 1.1.1 > with this configuration update among number of other improvements: > > openssl (1.1.1~~pre6-1) experimental; urgency=medium > > * New upstream version > * Increase default security level from 1 to 2. This moves from the 80 bit > security level to the 112 bit securit level and will require 2048 bit RSA > and DHE keys. > > -- Kurt Roeckx <k...@roeckx.be> Tue, 01 May 2018 16:00:55 +0200 > > > I assume similar policies have been applied to all modern and maintained > operating systems by now. > > Everyone should verify their own SMTP servers to avoid losing email due > to TLS failures. Doing so is simple from e.g Debian: > > > bjorn@canardo:/usr/local/src/openwrt$ cd > > > bjorn@canardo:~$ host interhost.net > > > interhost.net has address 185.18.204.66 > interhost.net mail is handled by 10 pineapp.interhost.co.il. > > bjorn@canardo:~$ openssl s_client -quiet -connect pineapp.interhost.co.il:25 > -starttls smtp > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global > Root CA > verify return:1 > depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA > 2018 > verify return:1 > depth=0 CN = *.interhost.co.il > verify return:1 > 139901908640896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too > small:../ssl/statem/statem_clnt.c:2150: > > > The fix obviously depends on the server, but is usually as simple as > regnerating the DH parameters. See for example > https://forums.freebsd.org/threads/sendmail-dh-key-too-small.51985/ > > > > Bjørn >