On 30/09/2022 19:17, Viktor Dukhovni via Exim-users wrote:
>> openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1
>> doesn't change the result.
>
> That sets a floor, rather than clearing it. You're explicitly
> turning off SSL 3.0, TLS 1.0 and TLS 1.1.
No. This is the exim option not an s_client option;
+no_sslv3 would be setting that bit
(and thereby disallowing sslv3). -no_sslv3 clears the bit.
Here's the processing going on:
19:51:24 64677 openssl option, removing from 42004000: 02000000 (no_sslv3 -no_tlsv1_1 -no_tlsv1)
19:51:24 64677 openssl option, removing from 40004000: 10000000 (no_tlsv1_1 -no_tlsv1)
19:51:24 64677 openssl option, removing from 40004000: 04000000 (no_tlsv1)
The result from that is fed to SSL_CTX_set_options().
> Do you have a test server reachable from the Internet that's running the
> version of Exim in question over OpenSSL?
Unfortunately no; this is my devel laptop.
> Does its cipherlist end with
> ":@SECLEVEL=0" (or does it explicitly set the security level via the
> OpenSSL API).
The latter.
I can add calls to read out bit of setup just before SSL_accept, if you
can suggest one.
If it matters: I'm using the OP's very minimal Client Hello,
not s_client.
--
Cheers,
Jeremy
