We were alarmed by the DROWNattack on Tuesday and started running http://testssl.sh to find forgotten servers still running SSLv2 (or SSLv3). There were not many left ...
But I also ran testssl.sh towards exim-servers offering TLS, and got an alarm on Secure Client-Initiated Renegotiation, telling me not only "VULNERABLE (NOT ok)" but also "DoS threat"! We are running on RHEL6 servers with openssl from their repos, exim is home-compiled and tested with versions 4.84 and 4.86, I have also tested exim linked with a clean build of openssl-1.0.1s I have played with openssl_options and the parameters of allow_unsafe_legacy_renegotiation, no_session_resumption_on_renegotiation and legacy_server_connect, but am still getting the alarm from testssl. The test is run something like this on exim started with -tls-on-connect echo R | openssl s_client -connect exim:465 exim seems to accept the RENEGOTIATING while a standard Apache httpd is closing the connection with "ssl handshake failure" after ie echo R | openssl s_client -connect httpd:443 Is there any way to turn this "feature" off? hmk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
