On Tue, Sep 27, 2022 at 02:39:19AM -0000, Jasen Betts via Exim-users wrote:
> it's reachable here: eximtest.duckdns.org
>
> eg: $ testssl eximtest.duckdns.org:465
>
You said that ECDHE ciphers are not available, but a default connection
with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:
posttls-finger: Untrusted TLS connection established
to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
server-digest SHA256
If I force TLS 1.2, I get (slightly less detailed cipher breakdown for
TLS 1.2 in Postfix):
posttls-finger: Untrusted TLS connection established
to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Either this is not the server in question, or ECDHE is working just
fine...
--
Viktor.
