On 2013-02-26 at 16:53 +0200, Warren Baker wrote:
> Thanks Phil, using +no_tlsv1_1 did the job. So a setting of
> openssl_options = -all +no_tlsv1_1 is working fine and I havent seen
> any problems for the last 12 hours or so.
> When you refer to MS bugs around the use of TLS1.1/TLS1.2 are you
> referring to MS exchange servers and Exim talking to them using TLS?
Might not be MS.
It looks like OpenSSL's AES-NI problems may be ongoing, and there's a
Debian bug which looks suspiciously similar, and has led to an
openssl-dev discussion:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678353#10
If you get a chance, could you try running an Exim which does *not*
disable any TLS protocols, but export into its environ at startup:
OPENSSL_ia32cap=~0x200000200000000
?
My knowledge of the special OpenSSL capabilities environment variables
is limited to "they exist" and "I can probably find clues to the bits in
the source", so the above suggestion is pure cargo-cult from the Debian
bug.
If you can manage to make things not-fail with just that environment
variable, or want to help more generally, then you might look at:
http://rt.openssl.org/Ticket/Display.html?id=3002
login: guest/guest
and perhaps comment on the openssl-dev mailing-list if you're prepared
to help diagnose more about what's happening?
Thanks,
-Phil
