Re: [exim] [exim-dev] Exim 4.88 RC5 uploaded

Top Page
Delete this message
Reply to this message
Author: Torsten Tributh
Date:  
To: exim-users
New-Topics: [exim] tls_eccurve = auto (Was: Exim 4.88 RC5 uploaded)
Subject: Re: [exim] [exim-dev] Exim 4.88 RC5 uploaded


On 11/22/2016 10:55 PM, Jeremy Harris wrote:
> So I guess there's some other difference apart from an EC curve being
> defined (mine had the variable unset, so got the default prime256v1).
>
> Could you enable debug on yours and see where the output goes
> significantly different?
> -- Cheers, Jeremy

Ok, i checked first all curves i was suspecting with OpenSSL1.1.0
I had all that curves before with exim4.87 and
openssl1.0.2-with-chacha-patch
I checked all against my ecdsa-cert and was only able to negotiate
secp384r1 and not more.
With an extra RSA-Cert i was able to use prime256v1 as default setting.

Short Result:
RSA: secp521r1,secp384r1,prime256v1    works
ECDSA: secp384r1                         works


all other combinations failed.
So i am missing X25519,brainpoolP512r1,brainpoolP384r1

In the moment it feels like a downgrade to me.

In the Logs are all ECDSA-tests and one RSA-test which proves it works
with RSA in default setting.
Dovecot seems to have a similar problem now to support multiple curves
with OpenSSL1.1.0.
In version 2.2.26.0. The ECDSA-Cert runs only with secp384r1.
That works by default.
Found the following reason stated in dovecot-mailing list:
--------------------------------
OpenSSL >= 1.0.2 automatically handles ECDH temporary key parameter
selection.
For OpenSSL < 1.0.2 we must manually specify a named elliptic curve that
Dovecot will use to generate an ephemeral key pair. By default we try to use
the same named curve as that used in the server's private EC key file.
If this
attempt fails, a fall back curve of NIST P-384 (secp384r1) is used instead.

RFC 6460 states that NIST P-384 MUST be used for cipher suites that include
AES-256. For cipher suites that include AES-128, RFC 6460 states that NIST
P-256 MUST be used. No matter which curve is used as a fall back option,
Dovecot will be non-compliant. The reason for selecting NIST P-384 as a fall
back curve is to ensure that the non-compliance is in the form of providing
too great a level of security for AES-128 cipher suites rather than too
little
security for AES-256 cipher suites.
------------------------------

If the other curves are not becoming available for ECDSA in this release
you should handle it like dovecot, so that a negotiation is possible and
not failing like shown in my logs:
Torsten



--
Torsten

Script started on Thu 24 Nov 2016 01:20:53 AM CET
-------------------------------------------------------
./exim -d-all+tls -bd -C X25519 
-------------------------------------------------------
Exim version 4.88 uid=0 gid=0 pid=30957 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [6.2.0 20161109]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0c  10 Nov 2016
                          Runtime: OpenSSL 1.1.0c  10 Nov 2016
                                 : built on: reproducible build, date unspecified
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
tls_require_ciphers expands to "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
tls_validate_require_cipher child 30958 ended: status=0x0
openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
configuration file is X25519
log selectors = ffffffff ffffffff
Reset TZ to Europe/Berlin: time is 2016-11-24 01:22:53
LOG: MAIN
  cwd=/root/DEBUG 5 args: /usr/sbin/exim -d-all+tls -bd -C X25519
trusted user
admin user
30957 listening on 195.4.132.82 port 777
30957 listening on 127.0.0.1 port 777
30957 listening on 2a00:dca0:100:5:face:face:face:face port 777
30957 pid written to /var/run/exim4/exim.pid
30957 LOG: MAIN
30957   exim 4.88 daemon started: pid=30957, no queue runs, listening for SMTPS on [195.4.132.82]:777 [127.0.0.1]:777 [2a00:dca0:100:5:face:face:face:face]:777
30957 daemon running with uid=103 gid=108 euid=103 egid=108
30957 Listening...
30957 Connection request from 2a00:dca0:100:5:face:face:face:face port 36566
30957 LOG: smtp_connection MAIN
30957   SMTP connection from [2a00:dca0:100:5:face:face:face:face]:36566 I=[2a00:dca0:100:5:face:face:face:face]:777 (TCP/IP connection count = 1)
30957 1 SMTP accept process running
30957 Listening...
30960 Process 30960 is handling incoming connection from [2a00:dca0:100:5:face:face:face:face]:36566
30960 openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
30960 openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
30960 openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
30960 openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
30960 openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
30960 openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
30960 openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
30960 openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
30960 setting SSL CTX options: 0x2424800
30960 Diffie-Hellman initialized from /etc/exim4/dhparams.pem with 4096-bit prime
30960 ECDH: curve 'X25519'
30960 LOG: MAIN
30960   TLS error on connection from torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:36566 I=[2a00:dca0:100:5:face:face:face:face]:777 (Unable to create ec curve): error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
30957 child 30960 ended: status=0x0
30957   normal exit, 0
30957 0 SMTP accept processes now running
30957 Listening...
-------------------------------------------------------
-------------------------------------------------------
Exim version 4.88 uid=0 gid=0 pid=30967 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [6.2.0 20161109]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0c  10 Nov 2016
                          Runtime: OpenSSL 1.1.0c  10 Nov 2016
                                 : built on: reproducible build, date unspecified
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
tls_require_ciphers expands to "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
tls_validate_require_cipher child 30968 ended: status=0x0
openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
configuration file is brainpoolP384r1
log selectors = ffffffff ffffffff
Reset TZ to Europe/Berlin: time is 2016-11-24 01:23:03
LOG: MAIN
  cwd=/root/DEBUG 5 args: /usr/sbin/exim -d-all+tls -bd -C brainpoolP384r1
trusted user
admin user
30967 listening on 195.4.132.82 port 777
30967 listening on 127.0.0.1 port 777
30967 listening on 2a00:dca0:100:5:face:face:face:face port 777
30967 pid written to /var/run/exim4/exim.pid
30967 LOG: MAIN
30967   exim 4.88 daemon started: pid=30967, no queue runs, listening for SMTPS on [195.4.132.82]:777 [127.0.0.1]:777 [2a00:dca0:100:5:face:face:face:face]:777
30967 daemon running with uid=103 gid=108 euid=103 egid=108
30967 Listening...
30967 Connection request from 2a00:dca0:100:5:face:face:face:face port 36646
30967 LOG: smtp_connection MAIN
30967   SMTP connection from [2a00:dca0:100:5:face:face:face:face]:36646 I=[2a00:dca0:100:5:face:face:face:face]:777 (TCP/IP connection count = 1)
30967 1 SMTP accept process running
30967 Listening...
31552 Process 31552 is handling incoming connection from [2a00:dca0:100:5:face:face:face:face]:36646
31552 openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31552 openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31552 openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31552 openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31552 openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31552 openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31552 openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
31552 openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
31552 setting SSL CTX options: 0x2424800
31552 Diffie-Hellman initialized from /etc/exim4/dhparams.pem with 4096-bit prime
31552 ECDH: curve 'brainpoolP384r1'
31552 ECDH: enabled 'brainpoolP384r1' curve
31552 tls_certificate file /etc/letsencrypt/ecdsa/torf.tributh.net/0001_chain.pem
31552 tls_privatekey file /etc/letsencrypt/ecdsa/torf.tributh.net/privkey.pem
31552 tls_ocsp_file /etc/exim4/ocsp/ocspresponseECDSA
31552 Initialized TLS
31552 required ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
31552 Calling SSL_accept
31552 SSL info: before SSL initialization
31552 SSL info: before SSL initialization
31552 SSL info: before SSL initialization
31552 SSL info: SSLv3/TLS read client hello
31552 SSL info: error
31552 LOG: MAIN
31552   TLS error on connection from torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:36646 I=[2a00:dca0:100:5:face:face:face:face]:777 (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
31552 LOG: MAIN
31552   TLS client disconnected cleanly (rejected our certificate?)
30967 child 31552 ended: status=0x0
30967   normal exit, 0
30967 0 SMTP accept processes now running
30967 Listening...
-------------------------------------------------------
./exim -d-all+tls -bd -C brainpoolP512r1 
-------------------------------------------------------
Exim version 4.88 uid=0 gid=0 pid=31556 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [6.2.0 20161109]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0c  10 Nov 2016
                          Runtime: OpenSSL 1.1.0c  10 Nov 2016
                                 : built on: reproducible build, date unspecified
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
tls_require_ciphers expands to "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
tls_validate_require_cipher child 31557 ended: status=0x0
openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
configuration file is brainpoolP512r1
log selectors = ffffffff ffffffff
Reset TZ to Europe/Berlin: time is 2016-11-24 01:23:13
LOG: MAIN
  cwd=/root/DEBUG 5 args: /usr/sbin/exim -d-all+tls -bd -C brainpoolP512r1
trusted user
admin user
31556 listening on 195.4.132.82 port 777
31556 listening on 127.0.0.1 port 777
31556 listening on 2a00:dca0:100:5:face:face:face:face port 777
31556 pid written to /var/run/exim4/exim.pid
31556 LOG: MAIN
31556   exim 4.88 daemon started: pid=31556, no queue runs, listening for SMTPS on [195.4.132.82]:777 [127.0.0.1]:777 [2a00:dca0:100:5:face:face:face:face]:777
31556 daemon running with uid=103 gid=108 euid=103 egid=108
31556 Listening...
31556 Connection request from 2a00:dca0:100:5:face:face:face:face port 36656
31556 LOG: smtp_connection MAIN
31556   SMTP connection from [2a00:dca0:100:5:face:face:face:face]:36656 I=[2a00:dca0:100:5:face:face:face:face]:777 (TCP/IP connection count = 1)
31556 1 SMTP accept process running
31556 Listening...
31559 Process 31559 is handling incoming connection from [2a00:dca0:100:5:face:face:face:face]:36656
31559 openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31559 openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31559 openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31559 openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31559 openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31559 openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31559 openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
31559 openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
31559 setting SSL CTX options: 0x2424800
31559 Diffie-Hellman initialized from /etc/exim4/dhparams.pem with 4096-bit prime
31559 ECDH: curve 'brainpoolP512r1'
31559 ECDH: enabled 'brainpoolP512r1' curve
31559 tls_certificate file /etc/letsencrypt/ecdsa/torf.tributh.net/0001_chain.pem
31559 tls_privatekey file /etc/letsencrypt/ecdsa/torf.tributh.net/privkey.pem
31559 tls_ocsp_file /etc/exim4/ocsp/ocspresponseECDSA
31559 Initialized TLS
31559 required ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
31559 Calling SSL_accept
31559 SSL info: before SSL initialization
31559 SSL info: before SSL initialization
31559 SSL info: before SSL initialization
31559 SSL info: SSLv3/TLS read client hello
31559 SSL info: error
31559 LOG: MAIN
31559   TLS error on connection from torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:36656 I=[2a00:dca0:100:5:face:face:face:face]:777 (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
31559 LOG: MAIN
31559   TLS client disconnected cleanly (rejected our certificate?)
31556 child 31559 ended: status=0x0
31556   normal exit, 0
31556 0 SMTP accept processes now running
31556 Listening...
-------------------------------------------------------
./exim -d-all+tls -bd -C secp521r1 
-------------------------------------------------------
Exim version 4.88 uid=0 gid=0 pid=31879 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [6.2.0 20161109]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0c  10 Nov 2016
                          Runtime: OpenSSL 1.1.0c  10 Nov 2016
                                 : built on: reproducible build, date unspecified
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
tls_require_ciphers expands to "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
tls_validate_require_cipher child 31880 ended: status=0x0
openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
configuration file is secp521r1
log selectors = ffffffff ffffffff
Reset TZ to Europe/Berlin: time is 2016-11-24 01:23:23
LOG: MAIN
  cwd=/root/DEBUG 5 args: /usr/sbin/exim -d-all+tls -bd -C secp521r1
trusted user
admin user
31879 listening on 195.4.132.82 port 777
31879 listening on 127.0.0.1 port 777
31879 listening on 2a00:dca0:100:5:face:face:face:face port 777
31879 pid written to /var/run/exim4/exim.pid
31879 LOG: MAIN
31879   exim 4.88 daemon started: pid=31879, no queue runs, listening for SMTPS on [195.4.132.82]:777 [127.0.0.1]:777 [2a00:dca0:100:5:face:face:face:face]:777
31879 daemon running with uid=103 gid=108 euid=103 egid=108
31879 Listening...
31879 Connection request from 2a00:dca0:100:5:face:face:face:face port 36842
31879 LOG: smtp_connection MAIN
31879   SMTP connection from [2a00:dca0:100:5:face:face:face:face]:36842 I=[2a00:dca0:100:5:face:face:face:face]:777 (TCP/IP connection count = 1)
31879 1 SMTP accept process running
31879 Listening...
31991 Process 31991 is handling incoming connection from [2a00:dca0:100:5:face:face:face:face]:36842
31991 openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31991 openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31991 openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31991 openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31991 openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31991 openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31991 openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
31991 openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
31991 setting SSL CTX options: 0x2424800
31991 Diffie-Hellman initialized from /etc/exim4/dhparams.pem with 4096-bit prime
31991 ECDH: curve 'secp521r1'
31991 ECDH: enabled 'secp521r1' curve
31991 tls_certificate file /etc/letsencrypt/ecdsa/torf.tributh.net/0001_chain.pem
31991 tls_privatekey file /etc/letsencrypt/ecdsa/torf.tributh.net/privkey.pem
31991 tls_ocsp_file /etc/exim4/ocsp/ocspresponseECDSA
31991 Initialized TLS
31991 required ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
31991 Calling SSL_accept
31991 SSL info: before SSL initialization
31991 SSL info: before SSL initialization
31991 SSL info: before SSL initialization
31991 SSL info: SSLv3/TLS read client hello
31991 SSL info: error
31991 LOG: MAIN
31991   TLS error on connection from torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:36842 I=[2a00:dca0:100:5:face:face:face:face]:777 (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
31991 LOG: MAIN
31991   TLS client disconnected cleanly (rejected our certificate?)
31879 child 31991 ended: status=0x0
31879   normal exit, 0
31879 0 SMTP accept processes now running
31879 Listening...
-------------------------------------------------------
./exim -d-all+tls -bd -C secp384r1 
-------------------------------------------------------
Exim version 4.88 uid=0 gid=0 pid=31993 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [6.2.0 20161109]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0c  10 Nov 2016
                          Runtime: OpenSSL 1.1.0c  10 Nov 2016
                                 : built on: reproducible build, date unspecified
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
tls_require_ciphers expands to "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
tls_validate_require_cipher child 31994 ended: status=0x0
openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
configuration file is secp384r1
log selectors = ffffffff ffffffff
Reset TZ to Europe/Berlin: time is 2016-11-24 01:23:33
LOG: MAIN
  cwd=/root/DEBUG 5 args: /usr/sbin/exim -d-all+tls -bd -C secp384r1
trusted user
admin user
31993 listening on 195.4.132.82 port 777
31993 listening on 127.0.0.1 port 777
31993 listening on 2a00:dca0:100:5:face:face:face:face port 777
31993 pid written to /var/run/exim4/exim.pid
31993 LOG: MAIN
31993   exim 4.88 daemon started: pid=31993, no queue runs, listening for SMTPS on [195.4.132.82]:777 [127.0.0.1]:777 [2a00:dca0:100:5:face:face:face:face]:777
31993 daemon running with uid=103 gid=108 euid=103 egid=108
31993 Listening...
31993 Connection request from 2a00:dca0:100:5:face:face:face:face port 36852
31993 LOG: smtp_connection MAIN
31993   SMTP connection from [2a00:dca0:100:5:face:face:face:face]:36852 I=[2a00:dca0:100:5:face:face:face:face]:777 (TCP/IP connection count = 1)
31993 1 SMTP accept process running
31993 Listening...
31996 Process 31996 is handling incoming connection from [2a00:dca0:100:5:face:face:face:face]:36852
31996 openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31996 openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31996 openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31996 openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31996 openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31996 openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
31996 openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
31996 openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
31996 setting SSL CTX options: 0x2424800
31996 Diffie-Hellman initialized from /etc/exim4/dhparams.pem with 4096-bit prime
31996 ECDH: curve 'secp384r1'
31996 ECDH: enabled 'secp384r1' curve
31996 tls_certificate file /etc/letsencrypt/ecdsa/torf.tributh.net/0001_chain.pem
31996 tls_privatekey file /etc/letsencrypt/ecdsa/torf.tributh.net/privkey.pem
31996 tls_ocsp_file /etc/exim4/ocsp/ocspresponseECDSA
31996 Initialized TLS
31996 required ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
31996 Calling SSL_accept
31996 SSL info: before SSL initialization
31996 SSL info: before SSL initialization
31996 SSL info: before SSL initialization
31996 SSL info: SSLv3/TLS read client hello
31996 SSL info: SSLv3/TLS write server hello
31996 SSL info: SSLv3/TLS write certificate
31996 SSL info: SSLv3/TLS write key exchange
31996 SSL info: SSLv3/TLS write server done
31996 SSL info: SSLv3/TLS write server done
31996 SSL info: SSLv3/TLS read client key exchange
31996 SSL info: SSLv3/TLS read change cipher spec
31996 SSL info: SSLv3/TLS read finished
31996 SSL info: SSLv3/TLS write change cipher spec
31996 SSL info: SSLv3/TLS write finished
31996 SSL info: SSL negotiation finished successfully
31996 SSL info: SSL negotiation finished successfully
31996 SSL_accept was successful
31996 Cipher: TLSv1.2:ECDHE-ECDSA-CHACHA20-POLY1305:256
31996 Shared ciphers: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
31996 tls_do_write(0x562d1bda2020, 22)
31996 SSL_write(SSL, 0x562d1bda2020, 22)
31996 outbytes=22 error=0
31996 Process 31996 is ready for new message
31996 Calling SSL_read(0x562d1bdf88a0, 0x562d1bdf9a00, 4096)
31996 LOG: MAIN
31996   SMTP connection from torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:36852 I=[2a00:dca0:100:5:face:face:face:face]:777 closed after SIGTERM
31996 LOG: MAIN
31996   H=torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:36852 I=[2a00:dca0:100:5:face:face:face:face]:777 Warning: TT-Debug: acl_check_notquit
31996 tls_do_write(0x562d1bda2020, 66)
31996 SSL_write(SSL, 0x562d1bda2020, 66)
31996 outbytes=66 error=0
31996 >>>>>>>>>>>>>>>> Exim pid=31996 terminating with rc=1 >>>>>>>>>>>>>>>>
-------------------------------------------------------
./exim -d-all+tls -bd -C prime256v1 
-------------------------------------------------------
Exim version 4.88 uid=0 gid=0 pid=32324 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [6.2.0 20161109]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0c  10 Nov 2016
                          Runtime: OpenSSL 1.1.0c  10 Nov 2016
                                 : built on: reproducible build, date unspecified
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
tls_require_ciphers expands to "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
tls_validate_require_cipher child 32325 ended: status=0x0
openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
configuration file is prime256v1
log selectors = ffffffff ffffffff
Reset TZ to Europe/Berlin: time is 2016-11-24 01:23:43
LOG: MAIN
  cwd=/root/DEBUG 5 args: /usr/sbin/exim -d-all+tls -bd -C prime256v1
trusted user
admin user
32324 listening on 195.4.132.82 port 777
32324 listening on 127.0.0.1 port 777
32324 listening on 2a00:dca0:100:5:face:face:face:face port 777
32324 pid written to /var/run/exim4/exim.pid
32324 LOG: MAIN
32324   exim 4.88 daemon started: pid=32324, no queue runs, listening for SMTPS on [195.4.132.82]:777 [127.0.0.1]:777 [2a00:dca0:100:5:face:face:face:face]:777
32324 daemon running with uid=103 gid=108 euid=103 egid=108
32324 Listening...
32324 Connection request from 2a00:dca0:100:5:face:face:face:face port 36862
32324 LOG: smtp_connection MAIN
32324   SMTP connection from [2a00:dca0:100:5:face:face:face:face]:36862 I=[2a00:dca0:100:5:face:face:face:face]:777 (TCP/IP connection count = 1)
32324 1 SMTP accept process running
32324 Listening...
32327 Process 32327 is handling incoming connection from [2a00:dca0:100:5:face:face:face:face]:36862
32327 openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
32327 openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
32327 openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
32327 openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
32327 openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
32327 openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
32327 openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
32327 openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
32327 setting SSL CTX options: 0x2424800
32327 Diffie-Hellman initialized from /etc/exim4/dhparams.pem with 4096-bit prime
32327 ECDH: curve 'prime256v1'
32327 ECDH: enabled 'prime256v1' curve
32327 tls_certificate file /etc/letsencrypt/ecdsa/torf.tributh.net/0001_chain.pem
32327 tls_privatekey file /etc/letsencrypt/ecdsa/torf.tributh.net/privkey.pem
32327 tls_ocsp_file /etc/exim4/ocsp/ocspresponseECDSA
32327 Initialized TLS
32327 required ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
32327 Calling SSL_accept
32327 SSL info: before SSL initialization
32327 SSL info: before SSL initialization
32327 SSL info: before SSL initialization
32327 SSL info: SSLv3/TLS read client hello
32327 SSL info: error
32327 LOG: MAIN
32327   TLS error on connection from torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:36862 I=[2a00:dca0:100:5:face:face:face:face]:777 (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
32327 LOG: MAIN
32327   TLS client disconnected cleanly (rejected our certificate?)
32324 child 32327 ended: status=0x0
32324   normal exit, 0
32324 0 SMTP accept processes now running
32324 Listening...
-------------------------------------------------------
./exim -d-all+tls -bd -C prime256v1-RSA
-------------------------------------------------------
/usr/sbin/exim -d-all+tls -bd -C prime256v1 
Exim version 4.88 uid=0 gid=0 pid=29152 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [6.2.0 20161109]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0c  10 Nov 2016
                          Runtime: OpenSSL 1.1.0c  10 Nov 2016
                                 : built on: reproducible build, date unspecified
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
tls_require_ciphers expands to "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
tls_validate_require_cipher child 29153 ended: status=0x0
openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
configuration file is prime256v1
log selectors = ffffffff ffffffff
Reset TZ to Europe/Berlin: time is 2016-11-24 01:28:12
LOG: MAIN
  cwd=/root/DEBUG 5 args: /usr/sbin/exim -d-all+tls -bd -C prime256v1
trusted user
admin user
29152 listening on 195.4.132.82 port 777
29152 listening on 127.0.0.1 port 777
29152 listening on 2a00:dca0:100:5:face:face:face:face port 777
29152 pid written to /var/run/exim4/exim.pid
29152 LOG: MAIN
29152   exim 4.88 daemon started: pid=29152, no queue runs, listening for SMTPS on [195.4.132.82]:777 [127.0.0.1]:777 [2a00:dca0:100:5:face:face:face:face]:777
29152 daemon running with uid=103 gid=108 euid=103 egid=108
29152 Listening...
root@torf:~/DEBUG# timeout 10 /usr/sbin/exim -d-all+tls -bd -C prime256v1 
Exim version 4.88 uid=0 gid=0 pid=29188 D=8000000
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Experimental_SPF Experimental_DANE Experimental_DMARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz
Authenticators: cram_md5 dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [6.2.0 20161109]
Library version: Glibc: Compile: 2.24
                        Runtime: 2.24
Library version: OpenSSL: Compile: OpenSSL 1.1.0c  10 Nov 2016
                          Runtime: OpenSSL 1.1.0c  10 Nov 2016
                                 : built on: reproducible build, date unspecified
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
tls_require_ciphers expands to "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
tls_validate_require_cipher child 29190 ended: status=0x0
openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
configuration file is prime256v1
log selectors = ffffffff ffffffff
Reset TZ to Europe/Berlin: time is 2016-11-24 01:28:45
LOG: MAIN
  cwd=/root/DEBUG 5 args: /usr/sbin/exim -d-all+tls -bd -C prime256v1
trusted user
admin user
29188 listening on 195.4.132.82 port 777
29188 listening on 127.0.0.1 port 777
29188 listening on 2a00:dca0:100:5:face:face:face:face port 777
29188 pid written to /var/run/exim4/exim.pid
29188 LOG: MAIN
29188   exim 4.88 daemon started: pid=29188, no queue runs, listening for SMTPS on [195.4.132.82]:777 [127.0.0.1]:777 [2a00:dca0:100:5:face:face:face:face]:777
29188 daemon running with uid=103 gid=108 euid=103 egid=108
29188 Listening...
29188 Connection request from 2a00:dca0:100:5:face:face:face:face port 44482
29188 LOG: smtp_connection MAIN
29188   SMTP connection from [2a00:dca0:100:5:face:face:face:face]:44482 I=[2a00:dca0:100:5:face:face:face:face]:777 (TCP/IP connection count = 1)
29188 1 SMTP accept process running
29188 Listening...
29194 Process 29194 is handling incoming connection from [2a00:dca0:100:5:face:face:face:face]:44482
29194 openssl option, removing from 0: 80000bff (all +no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
29194 openssl option, adding from 0: 20000 (no_compression +cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
29194 openssl option, adding from 20000: 400000 (cipher_server_preference +no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
29194 openssl option, adding from 420000: 2000000 (no_sslv3 +no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
29194 openssl option, adding from 2420000: 4000 (no_ticket +single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
29194 openssl option, adding from 2424000: 0 (single_ecdh_use +single_dh_use +dont_insert_empty_fragments)
29194 openssl option, adding from 2424000: 0 (single_dh_use +dont_insert_empty_fragments)
29194 openssl option, adding from 2424000: 800 (dont_insert_empty_fragments)
29194 setting SSL CTX options: 0x2424800
29194 Diffie-Hellman initialized from /etc/exim4/dhparams.pem with 4096-bit prime
29194 ECDH: curve 'prime256v1'
29194 ECDH: enabled 'prime256v1' curve
29194 tls_certificate file /etc/letsencrypt/rsa4096/torf.tributh.net/0001_chain.pem
29194 tls_privatekey file /etc/letsencrypt/rsa4096/torf.tributh.net/privkey.pem
29194 tls_ocsp_file /etc/exim4/ocsp/ocspresponseECDSA
29194 Initialized TLS
29194 required ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
29194 Calling SSL_accept
29194 SSL info: before SSL initialization
29194 SSL info: before SSL initialization
29194 SSL info: before SSL initialization
29194 SSL info: SSLv3/TLS read client hello
29194 SSL info: SSLv3/TLS write server hello
29194 SSL info: SSLv3/TLS write certificate
29194 SSL info: SSLv3/TLS write key exchange
29194 SSL info: SSLv3/TLS write server done
29194 SSL info: SSLv3/TLS write server done
29194 SSL info: SSLv3/TLS read client key exchange
29194 SSL info: SSLv3/TLS read change cipher spec
29194 SSL info: SSLv3/TLS read finished
29194 SSL info: SSLv3/TLS write change cipher spec
29194 SSL info: SSLv3/TLS write finished
29194 SSL info: SSL negotiation finished successfully
29194 SSL info: SSL negotiation finished successfully
29194 SSL_accept was successful
29194 Cipher: TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256
29194 Shared ciphers: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
29194 tls_do_write(0x556fd1afe020, 22)
29194 SSL_write(SSL, 0x556fd1afe020, 22)
29194 outbytes=22 error=0
29194 Process 29194 is ready for new message
29194 Calling SSL_read(0x556fd1b54c50, 0x556fd1b50020, 4096)
29194 LOG: MAIN
29194   SMTP connection from torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:44482 I=[2a00:dca0:100:5:face:face:face:face]:777 closed after SIGTERM
29194 LOG: MAIN
29194   H=torf.tributh.net [2a00:dca0:100:5:face:face:face:face]:44482 I=[2a00:dca0:100:5:face:face:face:face]:777 Warning: TT-Debug: acl_check_notquit
29194 tls_do_write(0x556fd1afe020, 66)
29194 SSL_write(SSL, 0x556fd1afe020, 66)
29194 outbytes=66 error=0
29194 >>>>>>>>>>>>>>>> Exim pid=29194 terminating with rc=1 >>>>>>>>>>>>>>>>


Script done on Thu 24 Nov 2016 01:26:30 AM CET