On 2022-09-24, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
> On Fri, Sep 23, 2022 at 05:50:29AM -0000, Jasen Betts via Exim-users wrote:
>
>> My testing mainly involves telling exim to listen on poert 443 with
>> implicit SSL and then hitting it with www.sslcheck.com
>>
>> tls_on_connect_ports = 465:443
>> daemon_smtp_ports = 25:465:587:443
>>
>> and this testing also shows a change in the availalbe suites.
>>
>> It mainly seems to be ECDH suites that are no longer avaialable.
>
> There's a big difference between "ECDH" and "ECDHE", the "fixed" DH/ECDH
> ciphers are deprecated, rarely used, and should not be used. While DHE
> and ECDHE ciphers are preferred. If GnuTLS disabled these, no harm done.
>
> If you post the name of the server, it would be possible for others to
> confirm your observations and perhaps offer more detailed help.
the server is nothing special, basically a stock debian 11 with exim
installed from debian backports, and a certificate from letsencrypt.
I'm working towards minimum steps to reproduce by eliminating as
many other factors as possible..
I'm using a free dynamic domain name to protect the guilty.
it's reachable here: eximtest.duckdns.org
eg: $ testssl eximtest.duckdns.org:465
once I find a good configuration I will deploy it on production
servers.
--
Jasen.
