Debian always builds Exim against GnuTLS, in its “heavy” variation, but I’ve always resisted by building against OpenSSL (and, incidentally, taken the time to tweak it for me). On the face of it that’s fine, except …
Is there really a good reason? I do it chiefly because I like OpenSSL’s cipher selection (I want very permissive, ordered by @STRENGTH, and TLS 1.3 would be nice). There were also horror stories about RNG entropy starvation caused by GnuTLS.
It’s tedious. I don’t put compilers on my server, and I don’t much enjoy setting up a build environment just to compile Exim against stable libraries and headers. It also makes upgrading much harder.
I appreciate that this is borderline a Debian question, but since there are presumably experienced users of both libraries here, do you think Exim+GnuTLS is actually viable and that if I were to switch to the prebuilt binaries and adapt to GnuTLSisms it would be adequate for a quiet personal server?
