Re: [exim] GnuTTS woes

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Viktor Dukhovni
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] GnuTTS woes
On Wed, Sep 28, 2022 at 09:39:43AM -0400, Viktor Dukhovni via Exim-users wrote:
> On Tue, Sep 27, 2022 at 02:39:19AM -0000, Jasen Betts via Exim-users wrote:
>
> > it's reachable here: eximtest.duckdns.org
> >
> > eg: $ testssl eximtest.duckdns.org:465
> >
>
> You said that ECDHE ciphers are not available, but a default connection
> with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:
>
>     posttls-finger: Untrusted TLS connection established
>         to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
>         TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
>         key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
>         server-digest SHA256

>
> If I force TLS 1.2, I get (slightly less detailed cipher breakdown for
> TLS 1.2 in Postfix):
>
>     posttls-finger: Untrusted TLS connection established
>         to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
>         TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

>
> Either this is not the server in question, or ECDHE is working just
> fine...


Ditto on port 465 and with IPv4:

    $ posttls-finger -c -lmay -Lsummary -w -o inet_protocols=ipv4 -p TLSv1.2 "[eximtest.duckdns.org]:465"
    posttls-finger: Untrusted TLS connection established
        to eximtest.duckdns.org[172.105.179.7]:465:
        TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)


-- 
    Viktor.