On Wed, Sep 28, 2022 at 09:39:43AM -0400, Viktor Dukhovni via Exim-users wrote:
> On Tue, Sep 27, 2022 at 02:39:19AM -0000, Jasen Betts via Exim-users wrote:
>
> > it's reachable here: eximtest.duckdns.org
> >
> > eg: $ testssl eximtest.duckdns.org:465
> >
>
> You said that ECDHE ciphers are not available, but a default connection
> with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:
>
> posttls-finger: Untrusted TLS connection established
> to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
> TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
> server-digest SHA256
>
> If I force TLS 1.2, I get (slightly less detailed cipher breakdown for
> TLS 1.2 in Postfix):
>
> posttls-finger: Untrusted TLS connection established
> to eximtest.duckdns.org[2400:8907::f03c:93ff:fe2d:f557]:25:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> Either this is not the server in question, or ECDHE is working just
> fine...
Ditto on port 465 and with IPv4:
$ posttls-finger -c -lmay -Lsummary -w -o inet_protocols=ipv4 -p TLSv1.2 "[eximtest.duckdns.org]:465"
posttls-finger: Untrusted TLS connection established
to eximtest.duckdns.org[172.105.179.7]:465:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
--
Viktor.