On Jun 28, Antoine via Exim-users wrote
> -VERS-TLS1.3
Thanks Antoine, but that doesn't seem to work:
$ gnutls-cli -l --priority SECURE256:-VERS-TLS1.3
Cipher suites for SECURE256:-VERS-TLS1.3
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-DTLS1.2, VERS-DTLS1.0
So far, so good, but then Exim seems to ignore this:
$ grep tls_require_ciphers /var/lib/exim4/config.autogenerated
tls_require_ciphers = SECURE256:-VERS-TLS1.3
$ exim -d -M 1hg7kY-0005cN-VO | grep -A 2 -B 1 cipher:
27657 TLS certificate verified: peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com"
27657 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
27657 Have channel bindings cached for possible auth usage.
27657 SMTP>> EHLO smtp.junix.systems
Aha! Wait, adding the same stanza to the remote_smtp transport fixed the
problem! Thanks all for the pointers.
Is this the expected behaviour?
Thanks,
Richard
--
junix.systems/privacy
