Re: [exim] GnuTTS woes

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jasen Betts
Date:  
À: exim-users
Sujet: Re: [exim] GnuTTS woes
On 2022-09-24, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
> On Fri, Sep 23, 2022 at 05:50:29AM -0000, Jasen Betts via Exim-users wrote:
>
>> My testing mainly involves telling exim to listen on poert 443 with
>> implicit SSL and then hitting it with www.sslcheck.com
>>
>> tls_on_connect_ports = 465:443
>> daemon_smtp_ports = 25:465:587:443
>>
>> and this testing also shows a change in the availalbe suites.
>>
>> It mainly seems to be ECDH suites that are no longer avaialable.
>
> There's a big difference between "ECDH" and "ECDHE", the "fixed" DH/ECDH
> ciphers are deprecated, rarely used, and should not be used. While DHE
> and ECDHE ciphers are preferred. If GnuTLS disabled these, no harm done.
>
> If you post the name of the server, it would be possible for others to
> confirm your observations and perhaps offer more detailed help.


the server is nothing special, basically a stock debian 11 with exim
installed from debian backports, and a certificate from letsencrypt.

I'm working towards minimum steps to reproduce by eliminating as
many other factors as possible..

I'm using a free dynamic domain name to protect the guilty.

it's reachable here: eximtest.duckdns.org

eg: $ testssl eximtest.duckdns.org:465

once I find a good configuration I will deploy it on production
servers.


--
Jasen.