On Fri, Sep 30, 2022 at 03:48:18PM +0100, Jeremy Harris via Exim-users wrote:
> OpenSSL 3.0.5 5 Jul 2022 running on Fedora 36
>
> I think using the distro standard package
> openssl-1:3.0.2-4.fc36.x86_64
> (though I note the numbers don't exactly line up)
>
> The failure mode is a TLS Alert complaining about version
> (I forget the precise wording, sorry)
> and followed by what looks like a library internal bug-triggered
> error for a BIO operation error.
>
> Clearing either no_tlsv1_1 or no_sslv3 has no effect.
Of course, if there's no support, the CLI flags don't matter. TLS 1.1 does
not work with OpenSSL 3.0.5, Though it looks more like a bug to me:
$ openssl s_client -quiet -starttls smtp -tls1_1 -connect $(uname -n):25
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dnssec-stats.ant.isi.edu
verify return:1
C0A1EBA5F27F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2252:
Things work better with TLS 1.2:
$ openssl s_client -quiet -starttls smtp -tls1_2 -connect $(uname -n):25
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dnssec-stats.ant.isi.edu
verify return:1
250 CHUNKING
QUIT
221 2.0.0 Bye
If this is still broken in 3.0.6-dev, a bug report may be appropriate.
--
Viktor.