On Fri, Sep 30, 2022 at 09:18:08PM +0100, Jeremy Harris via Exim-users wrote:
> On 30/09/2022 20:28, Viktor Dukhovni via Exim-users wrote:
> > Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
> > sort that out.
>
> It does not. The same Fatal Alert.
Presumably it'll work for you if you connect to:
[dnssec-stats.ant.isi.edu]:25
The relevant software versions are:
$ rpm -q postfix openssl
postfix-3.6.4-1.fc36.x86_64
openssl-3.0.5-1.fc36.x86_64
And indeed Postfix is linked against OpenSSL 3.x:
$ ldd /usr/libexec/postfix/smtpd
...
libssl.so.3 => /lib64/libssl.so.3 (0x00007fdc3588f000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007fdc35467000)
...
So the barrier is some interaction between Exim and OpenSSL that makes
TLS 1.0 and 1.1 unavailable. Clients that don't support TLS 1.2 are of
course increasingly rare, but pockets of holdouts still linger on...
--
Viktor.
