On Fri, Sep 30, 2022 at 08:14:20PM +0100, Jeremy Harris via Exim-users wrote:
> > Does its cipherlist end with ":@SECLEVEL=0" (or does it explicitly
> > set the security level via the OpenSSL API).
>
> The latter.
>
> I can add calls to read out bit of setup just before SSL_accept, if you
> can suggest one.
I'm out of ideas. All I can say with certainty is that underlying
OpenSSL library (Fedora36 OpenSSL 3.0.5, same as yours I think) is
perfectly happy to do TLS 1.1 when SECLEVEL=0. Why that's not
happening with Exim is outside my area of expertise.
> If it matters: I'm using the OP's very minimal Client Hello,
> not s_client.
Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
sort that out.
--
Viktor.