Re: [exim] OpenSSL IOT woes

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] OpenSSL IOT woes
On Fri, Sep 30, 2022 at 08:14:20PM +0100, Jeremy Harris via Exim-users wrote:

> > Does its cipherlist end with ":@SECLEVEL=0" (or does it explicitly
> > set the security level via the OpenSSL API).
>
> The latter.
>
> I can add calls to read out bit of setup just before SSL_accept, if you
> can suggest one.


I'm out of ideas. All I can say with certainty is that underlying
OpenSSL library (Fedora36 OpenSSL 3.0.5, same as yours I think) is
perfectly happy to do TLS 1.1 when SECLEVEL=0. Why that's not
happening with Exim is outside my area of expertise.

> If it matters: I'm using the OP's very minimal Client Hello,
> not s_client.


Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
sort that out.

-- 
    Viktor.