Re: [exim] OpenSSL IOT woes

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Jeremy Harris
Data:  
Para: exim-users
Assunto: Re: [exim] OpenSSL IOT woes
On 30/09/2022 19:17, Viktor Dukhovni via Exim-users wrote:
>>     openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1
>> doesn't change the result.

>
> That sets a floor, rather than clearing it. You're explicitly
> turning off SSL 3.0, TLS 1.0 and TLS 1.1.


No. This is the exim option not an s_client option;
+no_sslv3 would be setting that bit
(and thereby disallowing sslv3). -no_sslv3 clears the bit.


Here's the processing going on:

19:51:24 64677 openssl option, removing from 42004000: 02000000 (no_sslv3 -no_tlsv1_1 -no_tlsv1)
19:51:24 64677 openssl option, removing from 40004000: 10000000 (no_tlsv1_1 -no_tlsv1)
19:51:24 64677 openssl option, removing from 40004000: 04000000 (no_tlsv1)

The result from that is fed to SSL_CTX_set_options().


> Do you have a test server reachable from the Internet that's running the
> version of Exim in question over OpenSSL?


Unfortunately no; this is my devel laptop.

> Does its cipherlist end with
> ":@SECLEVEL=0" (or does it explicitly set the security level via the
> OpenSSL API).


The latter.

I can add calls to read out bit of setup just before SSL_accept, if you
can suggest one.

If it matters: I'm using the OP's very minimal Client Hello,
not s_client.
--
Cheers,
Jeremy