On 07/06/2019 17:16, Marc MERLIN via Exim-users wrote: > Is my cipher list unsuitable? cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
That's not a cipher list, it is the cipher that you negociated. > 14:32:03 5341 gnutls_handshake was successful > 14:32:03 5341 TLS certificate verification failed (certificate invalid): > peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com" > 14:32:03 5341 TLS verify failure overridden (host in tls_try_verify_hosts) > 14:32:03 5341 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 > 14:32:03 5341 Have channel bindings cached for possible auth usage. > 14:32:03 5341 SMTP>> EHLO mail1.merlins.org > 14:32:03 5341 tls_do_write(0xbfd5f57c, 24) > 14:32:03 5341 gnutls_record_send(SSL, 0xbfd5f57c, 24) > 14:32:03 5341 outbytes=24 > 14:32:03 5341 Calling gnutls_record_recv(0xb830fa40, 0xbfd5e57c, 4096) > 14:32:03 5341 LOG: MAIN > 14:32:03 5341 H=alt4.gmail-smtp-in.l.google.com [74.125.141.26] TLS error > on connection (recv): Resource temporarily unavailable, try again. With TLS1.3 certain TLS startup error types only become visible on the first read after the handshake call. I think you've hit one. The handling of these has been made a bit better post- 4.92 (see eg. c15523829b). Is there any chance of you compiling a bleeding-edge version? Alternatively, disable TLS1.3 - the tls_require_ciphers options for the smtp transport is expanded, so you could make this google-specific. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
