On Fri, Dec 27, 2019 at 07:53:30PM +0100, David Saez Padros via Exim-users wrote:
> a remote server which was able to send us mail using > P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 , after upgrading to Exim 4.93 + > OpenSSL 1.1.1d is no longer able to send mail to us, logging this error: What OS are you using? Some recent versions of Debian disable TLS 1.0 and 1.1 by default. > (SSL_accept): error:14209102:SSL > routines:tls_early_post_process_client_hello:unsupported protocol It does look like TLS 1.0 ended up disabled. It would be helpful to have a PCAP (tcpdump full packet capture) file recording the failed handshake. > # openssl ciphers -v | awk '{print $2}' | sort | uniq > SSLv3 > TLSv1 > TLSv1.2 > TLSv1.3 That's not a useful indication of which protocols are enabled. The presence of ciphersuites introduced at a particular protocol version, does not imply that the protocol version is supported or enabled. Most SSLv3 and TLS 1.0 ciphersuites are applicable also in TLS 1.2. > openssl_options = +no_sslv2 +no_sslv3 > > looking at the logs there is no smtps connection with TLS lower than > 1.2, is this something due to Exim configuration ? Either Exim, or OS defaults, possible via the system-wide openssl.cnf file. On Fri, Dec 27, 2019 at 08:17:39PM +0100, basti via Exim-users wrote: > Hello, > first of all some distribution use openssl and some use gnutls. > check this with 'exim -bV' In this case it is clear that OpenSSL was in use. > > OpenSSL 1.1.1d is no longer able to send mail to us, logging this error: > > > > (SSL_accept): error:14209102:SSL > > routines:tls_early_post_process_client_hello:unsupported protocol This is an OpenSSL (not GnuTLS) error message. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/