[exim-dev] [Bug 2872] Unable to select ONLY TLSv1.3 CHACHA2…

Top Pagina
Delete this message
Reply to this message
Auteur: admin
Datum:  
Aan: exim-dev
Oude Onderwerpen: [exim-dev] [Bug 2872] New: Unable to select ONLY TLSv1.3 CHACHA20-POLY1305 cipher
Onderwerp: [exim-dev] [Bug 2872] Unable to select ONLY TLSv1.3 CHACHA20-POLY1305 cipher
https://bugs.exim.org/show_bug.cgi?id=2872

--- Comment #10 from Jeremy Harris <jgh146exb@???> ---
(In reply to help from comment #8)
> > This is less than useful, it means a server cannot restrict the 1.3 ciphers
> > it offers yet still offer both 1.3 and 1.2 service with a single
> > configuration.
>
> With a single configuration? Yes.


With a single configuration, no. It doesn't work (in a reasonable way).


> Once a TLS 1.3 session is negotiated, there is no possibility for it to
> become a TLS 1.2 session anymore. For good reasons! (Security)


Misconception. A 1.3 connection is not negotiated, with the attempted
matching of 1.3 configurations, even though there is a matching 1.2
cipher available. No TLS connection is successfully made.
The server refuses the TLS connection.

Result, for SMTP: either a) (when one end insists on TLS or nothing)
no SMTP communication OR b) SMTP standard downgrade to in-clear
communications.

It's not a good situation. And making the facility in Exim config to restrict
the 1.3 ciphersuites makes the occurrence of the problem combination more
likely -
because administrators of systems will make different choices -
which will mean more support queries, and perception of Exim being unreliable.

For what it's worth, OpenSSL and GnuTLS do the same here.

--
You are receiving this mail because:
You are on the CC list for the bug.