Re: [exim] if you use openssl v3+ with exim

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] if you use openssl v3+ with exim
On Fri, Dec 09, 2022 at 07:55:42PM +0100, Cyborg via Exim-users wrote:

> Guys, it was just a FYI without the FYI mark. I will add it next time :)


Yeah, that could have been helpful.

> There is nothing exim can do or should do. It's 100% caused by
> outdated legacy servers, ignoring the year 2009 CVE.
>
> The issue is reproduceable with openssl s_client directly:
>
> openssl s_client -connect 82.218.176.66:25 -starttls smtp


Indeed, and also with Postfix (built against OpenSSL 3.0):

    $ posttls-finger -c -Lsummary -lmay  "[82.218.176.66]"
    posttls-finger: SSL_connect error to 82.218.176.66[82.218.176.66]:25: -1
    posttls-finger: warning: TLS library problem: error:0A000152:SSL routines::unsafe legacy renegotiation disabled:ssl/statem/extensions.c:879:


With OpenSSL 1.1.1:

    $ posttls-finger -c -Lsummary -lmay  "[82.218.176.66]"
    posttls-finger: Anonymous TLS connection established to 82.218.176.66[82.218.176.66]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
    posttls-finger: Server is anonymous


Interestingly, that server support anon-DH ciphers, which is not that
common. Postfix is one of the few MTAs that enables ADH/AECDHE opportunistic
TLS, and indeed the server in question appears to be a very old Postfix
build:

    220 circuit.inbus.at ESMTP Postfix


-- 
    Viktor.