https://bugs.exim.org/show_bug.cgi?id=2872
--- Comment #10 from Jeremy Harris <jgh146exb@???> ---
(In reply to help from comment #8)
> > This is less than useful, it means a server cannot restrict the 1.3 ciphers
> > it offers yet still offer both 1.3 and 1.2 service with a single
> > configuration.
>
> With a single configuration? Yes.
With a single configuration, no. It doesn't work (in a reasonable way).
> Once a TLS 1.3 session is negotiated, there is no possibility for it to
> become a TLS 1.2 session anymore. For good reasons! (Security)
Misconception. A 1.3 connection is not negotiated, with the attempted
matching of 1.3 configurations, even though there is a matching 1.2
cipher available. No TLS connection is successfully made.
The server refuses the TLS connection.
Result, for SMTP: either a) (when one end insists on TLS or nothing)
no SMTP communication OR b) SMTP standard downgrade to in-clear
communications.
It's not a good situation. And making the facility in Exim config to restrict
the 1.3 ciphersuites makes the occurrence of the problem combination more
likely -
because administrators of systems will make different choices -
which will mean more support queries, and perception of Exim being unreliable.
For what it's worth, OpenSSL and GnuTLS do the same here.
--
You are receiving this mail because:
You are on the CC list for the bug.
