[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni via Exim-users
Data:  
Dla: exim-users
Temat: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
On Sat, Jul 06, 2024 at 09:44:58PM +0100, Jeremy Harris via Exim-users wrote:

> Actually, you don't know whether the option was forced. Only the result on the
> connection - which you have not described how you evaluated.


A "tshark" analysis of the connection should be able to reveal all,
since at least the TLS Client Hello is unencrypted even in TLS 1.3, and
this is there the SNI extension appears (ECH aside, which is still
rather bleeding edge, and not currently supported by any MTAs AFAIK).

Adjust the "tshark" recipe from:

    https://www.spinics.net/lists/openssl-users/msg05623.html


to use port 25 rather than 16370.

> One possibility (but I find it most unlikely) is that the OpenSSL library you
> are using was built without "TLS extensions" support. See the comment in that docs chapter,
> which give a way to check on that.


This is exceedingly unlikely, OpenSSL without extension support is IIRC
a feature of some ~0.9.x releases. It is no longer practical to use
TLS without extensions (SNI, EMS, Supported Groups, Session Tickets, ...).

I am very sceptical that any such thing is possible or used with OpenSSL
3.x. But, SNI is mostly a distraction in this thread. Any thoughts on
what's wrong with the GNU-TLS build vs. DANE?

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/