Re: how to ignore TLS1.3 for test purposes?
On 2020-07-29 04:12, Larkin Nickle wrote: Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can tell according to SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but this might be a useful starting point. That helped alot. Using TLS 1.2 I was able to actually see something in the tcpdump (see attachment). Apparently my MTA sends a Client Hello (TLS 1.2 protocol) to the peer, including a list of ciphers and several extensions. The peer (buxtehude.debian.org) answers with "Handshake failure", but it doesn't tell what exactly is wrong. See attachment. Any ideas? I am sure you guys are more proficient in reading TLS protocol than I am. Harri buxtehude.debian.org.pcap Description: application/vnd.tcpdump.pcap
Re: how to ignore TLS1.3 for test purposes?
On 2020-07-28 02:56, Harald Dunkel wrote: Hi folks, there seems to be a compatibility issue between opensmtpd on OpenBSD 6.7 and exim4 on Debian's bugtracker, see https://lists.debian.org/debian-user/2020/07/msg01091.html Most recent syspatches are applied, of course. I cannot reproduce this problem with opensmtpd 6.7.1-p1 on Debian. How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use TLS1.2 only, just for test purposes? TLS1.3 in libressl appears to be brand new. Maybe its buggy. Every helpful hint is highly appreciated Harri Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can tell according to SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but this might be a useful starting point.
how to ignore TLS1.3 for test purposes?
Hi folks, there seems to be a compatibility issue between opensmtpd on OpenBSD 6.7 and exim4 on Debian's bugtracker, see https://lists.debian.org/debian-user/2020/07/msg01091.html Most recent syspatches are applied, of course. I cannot reproduce this problem with opensmtpd 6.7.1-p1 on Debian. How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use TLS1.2 only, just for test purposes? TLS1.3 in libressl appears to be brand new. Maybe its buggy. Every helpful hint is highly appreciated Harri
