[exim] no SNI used, when sending TLS secured messages out

Pàgina inicial
Delete this message
Reply to this message
Autor: Wolfgang Kraft
Data:  
A: exim-users
Assumpte: [exim] no SNI used, when sending TLS secured messages out
Hello,

I just use another subject for the SNI issue, as this seems to be completly independent from the
DANE-Problem with GNU-TLS.

On 2024-07-07 03:10, Viktor Dukhovni via Exim-users wrote:
> On Sat, Jul 06, 2024 at 09:44:58PM +0100, Jeremy Harris via Exim-users wrote:
>
> > Actually, you don't know whether the option was forced. Only the result on the
> > connection - which you have not described how you evaluated.
>
> A "tshark" analysis of the connection should be able to reveal all,
> since at least the TLS Client Hello is unencrypted even in TLS 1.3, and
> this is there the SNI extension appears (ECH aside, which is still
> rather bleeding edge, and not currently supported by any MTAs AFAIK).
>

I did a tcpdump on my test environment, sending mails to a couple of domains, DANE secure, without
DANE, but enforcing STARTTLS and such, allowing STARTTLS.
I did this three times, using different compiled exims for the same configuration:
- the distribution original exim "Exim version 4.96"
- my own compiled exim with OpenSSL-GNU from debian "Exim version 4.97.1"
- my own compiled exim with self compiled "openssl-3.3.1" "Exim version 4.97.1"
all connections were established without using SNI, just a plain "Client Hello" in the dump!

I enclose my test configuration, which is almost the debian default.

Regards

Wolfgang
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/