On Mon, Oct 03, 2022 at 07:22:29PM +0100, Jeremy Harris via Exim-users wrote:
> On 03/10/2022 18:08, Jeremy Harris via Exim-users wrote:
> > Could the min/max protocol stuff mentioned in
> > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
> > be affecting it?
> > Exim has no
On 03/10/2022 18:08, Jeremy Harris via Exim-users wrote:
Could the min/max protocol stuff mentioned in
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
be affecting it?
Exim has no SSL_CONF_* calls currently; probably never has in it's
history.
Bingo. The value given by
On Mon, Oct 03, 2022 at 06:08:58PM +0100, Jeremy Harris via Exim-users wrote:
> > Presumably it'll work for you if you connect to:
> >
> > [dnssec-stats.ant.isi.edu]:25
>
> It does.
Ok, so the client side is not the problem...
> > So the barrier is some interaction between Exim and
On 30/09/2022 21:33, Viktor Dukhovni via Exim-users wrote:
On Fri, Sep 30, 2022 at 09:18:08PM +0100, Jeremy Harris via Exim-users wrote:
On 30/09/2022 20:28, Viktor Dukhovni via Exim-users wrote:
Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
sort that out.
It does not.
On Fri, Sep 30, 2022 at 09:18:08PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 20:28, Viktor Dukhovni via Exim-users wrote:
> > Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
> > sort that out.
>
> It does not. The same Fatal Alert.
Presumably it'll work for
On 30/09/2022 20:28, Viktor Dukhovni via Exim-users wrote:
Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
sort that out.
It does not. The same Fatal Alert.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
On Fri, Sep 30, 2022 at 08:14:20PM +0100, Jeremy Harris via Exim-users wrote:
> > Does its cipherlist end with ":@SECLEVEL=0" (or does it explicitly
> > set the security level via the OpenSSL API).
>
> The latter.
>
> I can add calls to read out bit of setup just before SSL_accept, if you
>
On 30/09/2022 19:17, Viktor Dukhovni via Exim-users wrote:
openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1
doesn't change the result.
That sets a floor, rather than clearing it. You're explicitly
turning off SSL 3.0, TLS 1.0 and TLS 1.1.
No. This is the exim option not an s_client
On Fri, Sep 30, 2022 at 07:05:52PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 18:34, Viktor Dukhovni via Exim-users wrote:
> > Do you also have a TLS version floor? "protocol version" sure sounds
> > like it.
>
> Not as far as I know, and
>openssl_options = -no_sslv3
On 30/09/2022 18:34, Viktor Dukhovni via Exim-users wrote:
Do you also have a TLS version floor? "protocol version" sure sounds
like it.
Not as far as I know, and
openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1
doesn't change the result.
There is indeed a "protocol version" fatal alert
10 matches
Mail list logo
