On Fri, Jun 28, 2019 at 02:50:25PM +0100, Richard Jones via Exim-users wrote:
> On Jun 27, Viktor Dukhovni via Exim-users wrote
> > Which is exactly this. IIRC there's a recent Exim patch, or you
> > can disable TLS 1.3, or switch to Exim built with OpenSSL.
>
> Thanks Viktor, and also for your other response. I don't suppose you
> know the magic priority string to stop this? I've had a read through the
> gnutls pages on the subject, but it's not obvious how to disable TLSv1.3
> ("!VERS-TLS1.3" doesn't work, for example)
A real Exim+GnuTLS user will have to answer that. I'm neither. I
am a Postfix developer/user and OpenSSL team member. So my expertise
lies elsewhere.
My interest in Exim is mostly related to the DANE library code I
contributed for doing DANE with OpenSSL 1.0.x. There is built-in
support for DANE in OpenSSL 1.1.0 and later, but that is not yet
the minimum version of OpenSSL supported by Exim, so for now Exim
uses my code for both OpenSSL 1.0.x and OpenSSL 1.1.x.
If some future version of Exim leaves OpenSSL 1.0.2 behind (it is
slated to go EOL in December) then Exim can switch to my built-in
DANE implementation in OpenSSL 1.1.x.
--
Viktor.
