[exim-dev] [Bug 2298] tls_eccurve does not accept multiple e…

Top Page

Reply to this message
Author: admin
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 2298] New: tls_eccurve does not accept multiple entries
Subject: [exim-dev] [Bug 2298] tls_eccurve does not accept multiple entries
https://bugs.exim.org/show_bug.cgi?id=2298

--- Comment #5 from Bertrand Jacquin <bertrand@???> ---
(In reply to Jeremy Harris from comment #4)
> > This is true, with "auto", also one curve is offered
>
> If you're only seeing one, then you're not using a modern version of OpenSSL.
> What do you have?


I am actually using OpenSSL 1.0.2t and indeed multiple cuves are being offered
with default settings

$ openssl s_client < /dev/null -connect smtp.local:465 -curves prime256v1 2>
/dev/null | fgrep 'Server Temp Key'
Server Temp Key: ECDH, P-256, 256 bits
$ openssl s_client < /dev/null -connect smtp.local:465 -curves secp384r1 2>
/dev/null | fgrep 'Server Temp Key'
Server Temp Key: ECDH, P-384, 384 bits

However Exim does not offer the ability for system administrators to manually
select one or multiple curves:

$ grep -F tls_eccurve /etc/exim/exim.conf
tls_eccurve          = prime256v1 : secp384r1


$ openssl s_client < /dev/null -connect smtp.local:465 -curves secp384r1 2>
/dev/null | fgrep 'Server Temp Key'

$ tail /var/log/exim.log
2019-09-29 19:59:52 TLS error on connection from [1.2.3.4]:13038
I=[1.2.3.42]:465 (Unknown curve name tls_eccurve 'prime256v1 : secp384r1'):
error:00000000:lib(0):func(0):reason(0)

--
You are receiving this mail because:
You are on the CC list for the bug.