> On Jan 28, 2019, at 6:56 AM, Jeremy Harris via Exim-users <exim-users@???> wrote:
>
>> is anyone of you running TLS 1.3 already ?
>
> It functions fine in the Exim regression-test suite,
> on systems having suitable library support.
>
> I've not seen any such connections in production yet.
As part of the DANE adoption survey I record the negotiated TLS
version for the various MX hosts involved.
Out of 9287 IP endpoints, the top 10 TLS protocol + cipher counts
were:
5765 TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
955 TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,X25519
554 TLS = TLS13 with AES256GCM-SHA384,X25519,RSA
548 TLS = TLS12 with DHE-RSA-AES256GCM-SHA384
398 TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P384
156 TLS = TLS13 with AES256GCM-SHA384,P256,RSA
130 TLS = TLS12 with ECDHE-RSA-AES128GCM-SHA256,P256
117 TLS = TLS13 with AES256GCM-SHA384,P384,RSA
86 TLS = TLS13 with CHACHA20POLY1305-SHA256,X25519,RSA
76 TLS = TLS12 with ECDHE-RSA-CHACHA20POLY1305-SHA256,P384
So TLS 1.3 is getting used. For example, at udmedia.de which handles
over 20k customer DANE domains and vevida.com which handles over 30k
customer domains. DANE domains with TLS 1.3 that exchange enough email
volume with Gmail to appear in Google's email transparency report include:
univie.ac.at
open.ch
vevida.com
ruhr-uni-bochum.de
xs4all.nl
freebsd.org
--
Viktor.
