On 2014-02-12 at 22:24 +0000, Viktor Dukhovni wrote: > On Wed, Feb 12, 2014 at 10:55:48PM +0100, Magnus Holmgren wrote: > > Disabling TLS 1.2 with e.g. tls_require_ciphers = NORMAL:-VERS-TLS1.2 makes > > the handshake succeed. > > There could perhaps be a different problem, maybe even a bug in > GnuTLS TLS 1.2 support. Still SHA2-512 stands out like a sore > thumb.
GnuTLS on Debian stable releases might be a little too old to support SHA2-512. Upgrade GnuTLS, rebuild Exim against the newer GnuTLS. If that fixes the problem locally, then (1) you know what the cause is; (2) you now are developing a sinking feeling about your chances of getting all of the sites sending you mail to upgrade GnuTLS; (3) you will sooner or later just relent and go find a CA which is willing to issue certs which are reasonably likely to allow interoperation on the public Internet today, not 7 years from now. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
