Re: [exim] OpenSSL IOT woes

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Viktor Dukhovni
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] OpenSSL IOT woes
On Fri, Sep 30, 2022 at 09:18:08PM +0100, Jeremy Harris via Exim-users wrote:

> On 30/09/2022 20:28, Viktor Dukhovni via Exim-users wrote:
> > Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
> > sort that out.
>
> It does not. The same Fatal Alert.


Presumably it'll work for you if you connect to:

    [dnssec-stats.ant.isi.edu]:25


The relevant software versions are:

    $ rpm -q postfix openssl
    postfix-3.6.4-1.fc36.x86_64
    openssl-3.0.5-1.fc36.x86_64


And indeed Postfix is linked against OpenSSL 3.x:

    $ ldd /usr/libexec/postfix/smtpd
        ...
        libssl.so.3 => /lib64/libssl.so.3 (0x00007fdc3588f000)
        libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007fdc35467000)
        ...


So the barrier is some interaction between Exim and OpenSSL that makes
TLS 1.0 and 1.1 unavailable. Clients that don't support TLS 1.2 are of
course increasingly rare, but pockets of holdouts still linger on...

-- 
    Viktor.