On 2022-09-24, Viktor Dukhovni via Exim-users <[email protected]> wrote: > On Fri, Sep 23, 2022 at 05:50:29AM -0000, Jasen Betts via Exim-users wrote: > >> My testing mainly involves telling exim to listen on poert 443 with >> implicit SSL and then hitting it with www.sslcheck.com >> >> tls_on_connect_ports = 465:443 >> daemon_smtp_ports = 25:465:587:443 >> >> and this testing also shows a change in the availalbe suites. >> >> It mainly seems to be ECDH suites that are no longer avaialable. > > There's a big difference between "ECDH" and "ECDHE", the "fixed" DH/ECDH > ciphers are deprecated, rarely used, and should not be used. While DHE > and ECDHE ciphers are preferred. If GnuTLS disabled these, no harm done. > > If you post the name of the server, it would be possible for others to > confirm your observations and perhaps offer more detailed help.
the server is nothing special, basically a stock debian 11 with exim installed from debian backports, and a certificate from letsencrypt. I'm working towards minimum steps to reproduce by eliminating as many other factors as possible.. I'm using a free dynamic domain name to protect the guilty. it's reachable here: eximtest.duckdns.org eg: $ testssl eximtest.duckdns.org:465 once I find a good configuration I will deploy it on production servers. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
