Author: Phil Pennock Date: To: exim-users Subject: Re: [exim] "Could not negotiate a supported cipher suite" with
2048-bit RSA server key
On 2014-02-12 at 22:24 +0000, Viktor Dukhovni wrote: > On Wed, Feb 12, 2014 at 10:55:48PM +0100, Magnus Holmgren wrote:
> > Disabling TLS 1.2 with e.g. tls_require_ciphers = NORMAL:-VERS-TLS1.2 makes
> > the handshake succeed.
>
> There could perhaps be a different problem, maybe even a bug in
> GnuTLS TLS 1.2 support. Still SHA2-512 stands out like a sore
> thumb.
GnuTLS on Debian stable releases might be a little too old to support
SHA2-512. Upgrade GnuTLS, rebuild Exim against the newer GnuTLS. If
that fixes the problem locally, then (1) you know what the cause is;
(2) you now are developing a sinking feeling about your chances of
getting all of the sites sending you mail to upgrade GnuTLS; (3) you
will sooner or later just relent and go find a CA which is willing to
issue certs which are reasonably likely to allow interoperation on the
public Internet today, not 7 years from now.