On 30/09/2022 21:33, Viktor Dukhovni via Exim-users wrote:
> On Fri, Sep 30, 2022 at 09:18:08PM +0100, Jeremy Harris via Exim-users wrote:
>
>> On 30/09/2022 20:28, Viktor Dukhovni via Exim-users wrote:
>>> Does "s_client -tls1_1 -cipher ALL:@SECLEVEL=0" work? Let's first
>>> sort that out.
>>
>> It does not. The same Fatal Alert.
>
> Presumably it'll work for you if you connect to:
>
> [dnssec-stats.ant.isi.edu]:25
It does.
> So the barrier is some interaction between Exim and OpenSSL that makes
> TLS 1.0 and 1.1 unavailable.
Yes, or the system my test server is running on forcing no TLSv1.1 support
(do/can they do that?)
Could the min/max protocol stuff mentioned in
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
be affecting it?
Exim has no SSL_CONF_* calls currently; probably never has in it's
history.
I'm not sure how to debug. Does OpenSSL offer detailed internal
debug the way that GnuTLS does?
--
Cheers,
Jeremy