On 2020-07-28 02:56, Harald Dunkel wrote:
Hi folks,
there seems to be a compatibility issue between opensmtpd on
OpenBSD 6.7 and exim4 on Debian's bugtracker, see
https://lists.debian.org/debian-user/2020/07/msg01091.html
Most recent syspatches are applied, of course. I cannot reproduce
this problem with opensmtpd 6.7.1-p1 on Debian.
How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use
TLS1.2 only, just for test purposes? TLS1.3 in libressl appears
to be brand new. Maybe its buggy.
Every helpful hint is highly appreciated
Harri
Looking at smtpd.conf(5), you should be able to put `smtp ciphers
control` (control being the control string of allowed ciphers). The
default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should
be valid in removing TLSv1.3 as far as I can tell according to
SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but
this might be a useful starting point.
