Hello, it's been a long time since I got a job and could no longer devote a lot of time to Exim, and all this time Exim has been doing its thing without needing much attention.
However, I upgraded my RSA key from a 1024-bit one to 2048 bits the other day because cacert.org requires at least that strong a key. Also, the certificate is signed by an intermediate certificate that had to be included in the tls_certificate file. Now TLS 1.2 doesn't work. mainlog says "Could not negotiate a supported cipher suite" and openssl s_client says (after sending the client handshake): > read from 0xfbbf40 [0xfc1f70] (7 bytes => 0 (0x0)) > 140599792219816:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:177: --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 248 bytes and written 352 bytes Disabling TLS 1.2 with e.g. tls_require_ciphers = NORMAL:-VERS-TLS1.2 makes the handshake succeed. This is on Debian stable with Exim 4.80 and libgnutls 2.12.20. Anyone seen this before? You can connect to fw.kibibyte.se:25 and do STARTTLS if you want to see the certificates. The above workaround is currently in effect, however. -- Magnus Holmgren [email protected] (No Cc of list mail needed, thanks) "Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack)" -- Dave Evans
signature.asc
Description: This is a digitally signed message part.
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
