Re: [exim] TLSv1 not supported ?

Top Page

Reply to this message
Author: Viktor Dukhovni
Date:  
To: EXIM mailing list
Subject: Re: [exim] TLSv1 not supported ?
On Fri, Dec 27, 2019 at 07:53:30PM +0100, David Saez Padros via Exim-users wrote:

> a remote server which was able to send us mail using
> P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 , after upgrading to Exim 4.93 +
> OpenSSL 1.1.1d is no longer able to send mail to us, logging this error:


What OS are you using? Some recent versions of Debian disable TLS 1.0
and 1.1 by default.

> (SSL_accept): error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol


It does look like TLS 1.0 ended up disabled. It would be helpful to have a
PCAP (tcpdump full packet capture) file recording the failed handshake.

> # openssl ciphers -v | awk '{print $2}' | sort | uniq
> SSLv3
> TLSv1
> TLSv1.2
> TLSv1.3


That's not a useful indication of which protocols are enabled. The presence of
ciphersuites introduced at a particular protocol version, does not imply that
the protocol version is supported or enabled. Most SSLv3 and TLS 1.0
ciphersuites are applicable also in TLS 1.2.

> openssl_options = +no_sslv2 +no_sslv3
>
> looking at the logs there is no smtps connection with TLS lower than
> 1.2, is this something due to Exim configuration ?


Either Exim, or OS defaults, possible via the system-wide openssl.cnf file.

On Fri, Dec 27, 2019 at 08:17:39PM +0100, basti via Exim-users wrote:
> Hello,
> first of all some distribution use openssl and some use gnutls.
> check this with 'exim -bV'


In this case it is clear that OpenSSL was in use.

> > OpenSSL 1.1.1d is no longer able to send mail to us, logging this error:
> >
> > (SSL_accept): error:14209102:SSL
> > routines:tls_early_post_process_client_hello:unsupported protocol


This is an OpenSSL (not GnuTLS) error message.

-- 
    Viktor.