On Fri, Sep 30, 2022 at 11:05:57AM -0400, Viktor Dukhovni via Exim-users wrote:
> > Clearing either no_tlsv1_1 or no_sslv3 has no effect.
>
> Of course, if there's no support, the CLI flags don't matter. TLS 1.1 does
> not work with OpenSSL 3.0.5, Though it looks more like a bug to me:
>
> $ openssl s_client -quiet -starttls smtp -tls1_1 -connect $(uname -n):25
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = dnssec-stats.ant.isi.edu
> verify return:1
> C0A1EBA5F27F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2252:
I just reproduced the problem with a fresh build of 3.0.6-dev from
github (built on FreeBSD 12.3):
$ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl s_client -starttls smtp -tls1_1 -quiet -connect localhost:25
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <...>
verify return:1
00C0C60008000000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:
I'll try to find some time to file a bug. Feel free to beat me to it.
--
Viktor.