On 31.05.2021 23:29, Viktor Dukhovni via Exim-users wrote:
> I see, the version of OpenSSL may be relevant here.
>
> Is the server in question "mail.fuze.pl"? On port 25 for that server I
This is not the server but It uses the same configuration and same
FreeBSD/openssl version - but as I tested it with s_client it didn't fail!
openssl s_client -connect mail.fuze.pl:465 -tls1_2 -curves P-256
Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
so I checked what is the difference between these two boxes - and
finally found it - problematic exim uses EC certificate, while
mail.fuze.pl uses (as you could see) RSA. The change was caused by
switch of defaults in deydrated Let's Encrypt client:
https://github.com/dehydrated-io/dehydrated/commit/174616becd96c202e3ff6dc0f28b3b435644f623
The EC cert is secp384r1 / P-384 so forcing P-256 only causes the alert.
In fact, testing with s_client and -curves P-256:P-384 is successful.
Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit
So I think I'll switch back to RSA for few more years ;)
thank you all for helping to debug this stuff, best regards
--
Marcin Gryszkalis, PGP 0xA5DBEEC7
http://fork.pl/gpg.txt
