On Fri, Dec 27, 2019 at 07:53:30PM +0100, David Saez Padros via Exim-users wrote:
> a remote server which was able to send us mail using
> P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 , after upgrading to Exim 4.93 +
> OpenSSL 1.1.1d is no longer able to send mail to us, logging this error:
What OS are you using? Some recent versions of Debian disable TLS 1.0
and 1.1 by default.
> (SSL_accept): error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol
It does look like TLS 1.0 ended up disabled. It would be helpful to have a
PCAP (tcpdump full packet capture) file recording the failed handshake.
> # openssl ciphers -v | awk '{print $2}' | sort | uniq
> SSLv3
> TLSv1
> TLSv1.2
> TLSv1.3
That's not a useful indication of which protocols are enabled. The presence of
ciphersuites introduced at a particular protocol version, does not imply that
the protocol version is supported or enabled. Most SSLv3 and TLS 1.0
ciphersuites are applicable also in TLS 1.2.
> openssl_options = +no_sslv2 +no_sslv3
>
> looking at the logs there is no smtps connection with TLS lower than
> 1.2, is this something due to Exim configuration ?
Either Exim, or OS defaults, possible via the system-wide openssl.cnf file.
On Fri, Dec 27, 2019 at 08:17:39PM +0100, basti via Exim-users wrote:
> Hello,
> first of all some distribution use openssl and some use gnutls.
> check this with 'exim -bV'
In this case it is clear that OpenSSL was in use.
> > OpenSSL 1.1.1d is no longer able to send mail to us, logging this error:
> >
> > (SSL_accept): error:14209102:SSL
> > routines:tls_early_post_process_client_hello:unsupported protocol
This is an OpenSSL (not GnuTLS) error message.
--
Viktor.
