On Fri, Sep 30, 2022 at 11:23:47AM -0400, Viktor Dukhovni via Exim-users wrote:
> I just reproduced the problem with a fresh build of 3.0.6-dev from > github (built on FreeBSD 12.3): > > $ LD_LIBRARY_PATH=/var/tmp/openssl/lib /var/tmp/openssl/bin/openssl > s_client -starttls smtp -tls1_1 -quiet -connect localhost:25 > Can't use SSL_get_servername > depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = R3 > verify return:1 > depth=0 CN = <...> > verify return:1 > 00C0C60008000000:error:0A0C0103:SSL > routines:tls_process_key_exchange:internal > error:ssl/statem/statem_clnt.c:2254: > > I'll try to find some time to file a bug. Feel free to beat me to it. Actually, this is expected behaviour: https://github.com/openssl/openssl/issues/15335#issuecomment-843843617 To get SHA1 ciphers to work, one needs to set the security level to 0. $ openssl s_client -quiet -starttls smtp -tls1_1 -cipher "ALL:@SECLEVEL=0" -connect $(uname -n):25 depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = <...> verify return:1 250 CHUNKING quit 221 2.0.0 Bye Jeremy, if you retry with "@SECLEVEL=0", you should see OpenSSL work as expected. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/