On 2022-09-24, Andreas Metzler via Exim-users <exim-users@exim.org> wrote: > On 2022-09-23 Jasen Betts via Exim-users <exim-users@exim.org> wrote: >> upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS >> connectivity (as a server). > >> I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports > >> customers are complaining about TLS not not working > >> my testing mainly involves telling exim to listen on poert 443 with >> implicit SSL and then hitting it with www.sslcheck.com
I have since discovered the script testssl.sh which gives the same results, faster. >> and this testing also shows a change in the availalbe suites. > >> It mainly seems to be ECDH suites that are no longer avaialable. > > Hello, > > I suspect you have only installed a EC/ECDSA certificate, you will also > need a RSA certificate for maximum compatibility. On my test server I'm using an RSA certificate from letsencrypt. it doesn't seem to make any difference. I can align the list cipher suites on both versions by disabling DHE-RSA on the new server, but that didn't help. according to testssl.sh the only protocol difference seems to be that the new version isn't offering tls extension "max fragment length/#1" I can't find a way to enable this to test if it makes any difference. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
