Re: [exim] TLSv1.1, TLSv1.2

Top Page

Reply to this message
Author: Phil Pennock
To: exim-users
Subject: Re: [exim] TLSv1.1, TLSv1.2
On 2012-04-28 at 09:37 +0300, Lena@??? wrote:
> I don't know how. I can test-run the script on my home machine
> (also with FreeBSD and openssl from ports) with openssl 1.0.1a,
> the diagnostics:

During coding up the TLS1.1/1.2 stuff for Exim's OpenSSL integration, I
noted a peculiar value for an SSL_OP flag for disabling 1.1. Checking
further, this has already been fixed in 1.0.1b. The constant value
changes between the two releases, in an incompatible way.

Exim 4.78 will #warn at compile time if the installed version of OpenSSL
is 1.0.1a. Definitely avoid that version.

> > TLS protocol negotiation should be
> > robust to this sort of thing, shouldn't it?
> It should, but something went wrong.

Similarly, when testing with s_client against Exim, I get protocol
failures during renegotiation because s_client continues with TLS1.2 but
Exim's handshake reply is TLS1.0. I can find no reason for this in the
Exim source code and have spent some unproductive time trying to trace
through the OpenSSL library code to see what might be causing this.

At this point, I suspect OpenSSL 1.0.1 should be regarded as Distinctly