Hello,
I just use another subject for the SNI issue, as this seems to be independent from the
DANE-Problem with GNU-TLS.
As it looks right now this causes the DANE-Problem, as the testserver gives another cert,
when no SNI is sent and that cert reveals the problems with GNU-TLS.
But now I have to figure out, why my servers are not sending SNI in "Client Hello".
> On Sat, Jul 06, 2024 at 09:44:58PM +0100, Jeremy Harris via Exim-users wrote:
>
> > Actually, you don't know whether the option was forced. Only the result on the
> > connection - which you have not described how you evaluated.
>
> A "tshark" analysis of the connection should be able to reveal all,
> since at least the TLS Client Hello is unencrypted even in TLS 1.3, and
> this is there the SNI extension appears (ECH aside, which is still
> rather bleeding edge, and not currently supported by any MTAs AFAIK).
>
I did a tcpdump on my test environment, sending mails to a couple of domains, DANE secure, without
DANE, but enforcing STARTTLS and such, allowing STARTTLS.
I did this three times, using different compiled exims for the same configuration:
- the distribution original exim "Exim version 4.96"
- my own compiled exim with OpenSSL-GNU from debian "Exim version 4.97.1"
- my own compiled exim with self compiled "openssl-3.3.1" "Exim version 4.97.1"
all connections were established without using SNI, just a plain "Client Hello" in the dump!
Two servers with "Exim version 4.93" are also not sending SNI in TLS.
I enclose my test configuration, which is almost the debian default.
Regards
Wolfgang
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/