On Fri, Nov 06, 2015 at 06:45:07PM +0300, Evgeniy Berdnikov wrote:
> > ... or an SSL library version issue?
>
> With "openssl s_client -tls1_1 -starttls smtp -connect 212.47.226.52:25"
> I got "250 HELP" message, and with "-tls1_2" got TLS negotiation failure.
Indeed the server supports only TLS <= 1.1. When the client offers
1.0, 1.1 and 1.2, it selects 1.1, but with a 1.2 ciphersuite! That
of course does not work.
When I remove all the TLS 1.2 ciphersuites from the client's HELLO,
the handshake completes:
posttls-finger: Untrusted TLS connection established to mail.subse.eu[212.47.226.52]:25: TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
So this server's SSL library is busted, it should not elect TLS
1.2 ciphers when using TLS 1.1.
This is different from the firewall issue in:
> https://lists.exim.org/lurker/thread/20150827.155850.719f1865.en.html#i20150827.155850.719f1865
but the observations about TLS 1.1 were very helpful. Thanks.
--
Viktor.
