Re: [exim] GnuTTS woes

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni
Date:  
À: exim-users
Sujet: Re: [exim] GnuTTS woes
On Fri, Sep 30, 2022 at 11:23:47AM -0400, Viktor Dukhovni via Exim-users wrote:

> I just reproduced the problem with a fresh build of 3.0.6-dev from
> github (built on FreeBSD 12.3):
>
>     $ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl s_client -starttls smtp -tls1_1 -quiet -connect localhost:25
>     Can't use SSL_get_servername
>     depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
>     verify error:num=20:unable to get local issuer certificate
>     verify return:1
>     depth=1 C = US, O = Let's Encrypt, CN = R3
>     verify return:1
>     depth=0 CN = <...>
>     verify return:1
>     00C0C60008000000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:

>
> I'll try to find some time to file a bug. Feel free to beat me to it.


Actually, this is expected behaviour:

    https://github.com/openssl/openssl/issues/15335#issuecomment-843843617


To get SHA1 ciphers to work, one needs to set the security level to 0.

    $ openssl s_client -quiet -starttls smtp -tls1_1 -cipher "ALL:@SECLEVEL=0" -connect $(uname -n):25
    depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = <...>
    verify return:1
    250 CHUNKING
    quit
    221 2.0.0 Bye


Jeremy, if you retry with "@SECLEVEL=0", you should see OpenSSL work as
expected.

-- 
    Viktor.