On Fri, Sep 30, 2022 at 11:23:47AM -0400, Viktor Dukhovni via Exim-users wrote:
> I just reproduced the problem with a fresh build of 3.0.6-dev from
> github (built on FreeBSD 12.3):
>
> $ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl s_client -starttls smtp -tls1_1 -quiet -connect localhost:25
> Can't use SSL_get_servername
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = <...>
> verify return:1
> 00C0C60008000000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl/statem/statem_clnt.c:2254:
>
> I'll try to find some time to file a bug. Feel free to beat me to it.
Actually, this is expected behaviour:
https://github.com/openssl/openssl/issues/15335#issuecomment-843843617
To get SHA1 ciphers to work, one needs to set the security level to 0.
$ openssl s_client -quiet -starttls smtp -tls1_1 -cipher "ALL:@SECLEVEL=0" -connect $(uname -n):25
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <...>
verify return:1
250 CHUNKING
quit
221 2.0.0 Bye
Jeremy, if you retry with "@SECLEVEL=0", you should see OpenSSL work as
expected.
--
Viktor.
