On 2022-09-24, Andreas Metzler via Exim-users <exim-users@???> wrote:
> On 2022-09-23 Jasen Betts via Exim-users <exim-users@???> wrote:
>> upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS
>> connectivity (as a server).
>
>> I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports
>
>> customers are complaining about TLS not not working
>
>> my testing mainly involves telling exim to listen on poert 443 with
>> implicit SSL and then hitting it with www.sslcheck.com
I have since discovered the script testssl.sh
which gives the same results, faster.
>> and this testing also shows a change in the availalbe suites.
>
>> It mainly seems to be ECDH suites that are no longer avaialable.
>
> Hello,
>
> I suspect you have only installed a EC/ECDSA certificate, you will also
> need a RSA certificate for maximum compatibility.
On my test server I'm using an RSA certificate from letsencrypt. it
doesn't seem to make any difference.
I can align the list cipher suites on both versions by disabling DHE-RSA on
the new server, but that didn't help.
according to testssl.sh the only protocol difference seems to be that the new
version isn't offering tls extension "max fragment length/#1" I can't
find a way to enable this to test if it makes any difference.
--
Jasen.