On Fri, Sep 30, 2022 at 01:21:21AM -0000, Jasen Betts via Exim-users wrote:
> > With the older Exim, GnuTLS appears to consider six cipher suites before
> > finding a suitable choice (after skipping all the DHE candidates).
>
> I can disable DHE_RSA by saying
>
> tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
>
> and now it chooses the same suite that 4.94 was choosing
> but there is still an error after the suite is chosen.
You could keep debugging GnuTLS, or just use a version of Exim with TLS
support via OpenSSL, which will likely just work. Your call.
Some resource that GnuTLS expects to use is not available when it is
initialised by the problem version of Exim. If not a DHE group,
likely something else related cryptography. To debug, you'd need
to figure out where that error is raised. Lack of help from strace
is not unexpected.
--
Viktor.
