Re: [exim] GnuTLS vs OpenSSL

Viktor Dukhovni via Exim-users <exim-users@???> writes:

> On Sat, Sep 18, 2021 at 09:45:28PM +0100, Andrew C Aitchison via
> Exim-users wrote:
>
>> > Besides this: About 85% of the incoming traffic is still unencrypted
>> > (for my statistics, mainly because some high volume mailing list
>> > servers do not use TLS), about 10% uses TLS1.3, 5% still uses TLS1.2
>> > (I log TLS ciphers via +tls_cipher in Exim).
>>
>> It looks as though you do not allow TLSv1.1 - I suspect that a
>> substantial faction of that 85% would use it if you allowed it.
>> For email it is probably better to allow TLSv1.1 than reject it
>> and end up receiving the message in plain.
>
> Make that TLS 1.0, almost nobody uses TLS 1.1, the sites that don't
> support at least TLS 1.2 almost invariably only support TLS 1.0.

FWIW, I have used standard Debian exim (heavy, with GnuTLS) for my
personal email server for a couple of years, and I don't recall any
TLS-related problem. FWIW, it seems TLS1.2 and TLS 1.3 is in wide use,
see statistics from the last couple of days on my server:

root@uggla:~# zgrep ' <= ' /var/log/exim4/mainlog*|grep -v ' P=local '|grep X=TLS1.0|wc -l
3
root@uggla:~# zgrep ' <= ' /var/log/exim4/mainlog*|grep -v ' P=local '|grep X=TLS1.1|wc -l
1
root@uggla:~# zgrep ' <= ' /var/log/exim4/mainlog*|grep -v ' P=local '|grep X=TLS1.2|wc -l
640
root@uggla:~# zgrep ' <= ' /var/log/exim4/mainlog*|grep -v ' P=local '|grep X=TLS1.3|wc -l
657
root@uggla:~# zgrep ' <= ' /var/log/exim4/mainlog*|grep -v ' P=local '|grep -v X=TLS|wc -l
46
root@uggla:~#

/Simon