On Wed, Oct 20, 2021 at 12:00:17AM +0000, admin--- via Exim-dev wrote:
> The 4th shows that on 2000+ connections in the logs nothing is actually using a
> DHE cipher suite either. Which makes a bug on the sslscan unlikely - esp. since
> it works as expected against gnutls-serv with the same string.
Typically, even with DHE enabled, the selected cipher would use ECDHE
when both sides support it, also, depending on what is logged with TLS
1.3, the key exchange group may not even be logged, and TLS 1.3 cipher
names onlly describe the symmetric crypto.
Indeed neither exim.org nor Phil Pennock's domain seem to support DHE,
but Heiko's Exim server does, at least when client offers only TLSv1.2
with just DHE ciphers. Don't know whether it uses GnuTLS or OpenSSL:
< 220 mx10.schlittermann.de ESMTP Exim 4.95 Wed, 20 Oct 2021 00:30:55 +0200
> EHLO ...
< 250-mx10.schlittermann.de ...
< ...
< 250-STARTTLS
< 250 HELP
> STARTTLS
< 220 TLS go ahead
mx10.schlittermann.de[46.38.236.101]:25: Matched DANE EE ...
Verified TLS connection established to mx10.schlittermann.de[46.38.236.101]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Similarly, Jeremy's MX host also supports DHE ciphers:
< 220-w81.wizint.net ESMTP Exim 4.94.133 Tue, 19 Oct 2021 22:40:50 +0000
Untrusted TLS connection established to wizmail.org[2a00:1940:107::2:0:0]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Then there is some reasoning why this is important for us at least.
Or only seemingly important, as I noted earlier.
--
Viktor.