Re: [exim] [exim-dev] Exim 4.88 RC5 uploaded

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Torsten Tributh
Date:  
À: exim-users
Sujet: Re: [exim] [exim-dev] Exim 4.88 RC5 uploaded


On 11/21/2016 05:09 PM, Jeremy Harris wrote:
> On 21/11/16 15:57, Torsten Tributh wrote:
>> If this variable:
>>
>> tls_eccurve =
>> is not set in the config, TLS fails.
> How are you testing and what do you observe?

Simple test:
tls_eccurve = auto
/etc/init.d/exim4 restart


 echo quit|openssl s_client -connect torf.tributh.net:465
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1479745082
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no









tls_eccurve = secp384r1
/etc/init.d/exim4 restart

echo quit|openssl s_client -connect torf.tributh.net:465
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1479745082
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
tributh@hpux:~$ echo quit|openssl s_client -connect torf.tributh.net:465
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = torf.tributh.net
verify return:1
---
Certificate chain
 0 s:/CN=torf.tributh.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVjCCAz6gAwIBAgISA3+efO4NjZqTY63v+rdJ+3k+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjcwNTE1MDBaFw0x
NzAxMjUwNTE1MDBaMBsxGTAXBgNVBAMTEHRvcmYudHJpYnV0aC5uZXQwdjAQBgcq
hkjOPQIBBgUrgQQAIgNiAARFG+VOhb701bz/HUCq54i04GqPVrhVpHkHtGP/S47P
1pMKYm2nsw8yM18YRFnd1PxBKf3Z+ak+KXNjbToigDETQhYc8N4yM2Veb5Hrj2Tc
oPKcd1/B8wQ0YRcmdAxELbGjggIRMIICDTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FOJMNQJ2yh0DWdLlghI2zhZ9uuH3MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZF
Ze/zqOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3Au
aW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0
LmludC14My5sZXRzZW5jcnlwdC5vcmcvMBsGA1UdEQQUMBKCEHRvcmYudHJpYnV0
aC5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAh4iamIzX
jFkRlw2R8d3bRNBKI+YLOtkJ0pICDWXkWqfJpew3gwnx+oq97S6eipM393qSltb2
nSrKA4+X6mmPhx4o9V9DWvn61tJzjy/Irl3i6B4pGIiSDnjbyPlJ82ZBc+P9iPp7
DidINyriWRc2Iw57ILjCI8nPquHZJJQ4rar0mr0jKpJqejKAl4ToE7RBqiQ7F4Mc
ViIb4z96t4vXQ6Wbl+1JCAgwdNjXf2sA3TF8QGNo166GiQXX6eQRuHEOil8Qb9VJ
f+NtWkIjoW5opJuWOVfciL2j52jPPCHPoDYXS1I5E13AJoYJjBFeBxaBhMOAnjCM
UoAVKgeO2Av3Iw==
-----END CERTIFICATE-----
subject=/CN=torf.tributh.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2672 bytes and written 326 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID:
A5B8E1AC38345A7A317C83987778171658E9899CEA336B543A8CC0FB7A88CACE
    Session-ID-ctx:
    Master-Key:
A1D619FC11DE5E4F8D6A4A1096827A8D7A94E20A6BFC765E1AE5D9C921311844E34F8517C5DF28EF834A0D9379A9C83A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1479745196
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
220 torf.tributh.net
DONE


---

--
Torsten