On Wed, Sep 28, 2022 at 07:58:27PM -0000, Jasen Betts via Exim-users wrote:
> > You said that ECDHE ciphers are not available, but a default connection
> > with "posttls-finger" gives TLS 1.3 with an ECDHE cipher:
>
> I did say that, I was working from scraped web pages of a third-party
> analysis at the time... I've since found testssl.sh (which is easier to
> use) and by tweaking the priority string have turned on the same
> cyphers.
>
> accordingto testssl.sh The only feature currently missing is
> maximum_fragment_size, (and the ability to support several client platforms)
> I think I may have to run a bisection search on the source code to figure out
> where that fell off.
That particular extension is hardly likely to be particularly important.
I think you're barking up the wrong tree. Whatever the problem is, it
is likely somewhere entirely different.
You need to analyse some failed handshake full-packet captures with
"tshark", and collected detailed logs from the clients that are having
problems.
--
Viktor.