On 30/09/2022 19:17, Viktor Dukhovni via Exim-users wrote:
openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1 doesn't change the result.That sets a floor, rather than clearing it. You're explicitly turning off SSL 3.0, TLS 1.0 and TLS 1.1.
No. This is the exim option not an s_client option; +no_sslv3 would be setting that bit (and thereby disallowing sslv3). -no_sslv3 clears the bit. Here's the processing going on: 19:51:24 64677 openssl option, removing from 42004000: 02000000 (no_sslv3 -no_tlsv1_1 -no_tlsv1) 19:51:24 64677 openssl option, removing from 40004000: 10000000 (no_tlsv1_1 -no_tlsv1) 19:51:24 64677 openssl option, removing from 40004000: 04000000 (no_tlsv1) The result from that is fed to SSL_CTX_set_options().
Do you have a test server reachable from the Internet that's running the version of Exim in question over OpenSSL?
Unfortunately no; this is my devel laptop.
Does its cipherlist end with ":@SECLEVEL=0" (or does it explicitly set the security level via the OpenSSL API).
The latter. I can add calls to read out bit of setup just before SSL_accept, if you can suggest one. If it matters: I'm using the OP's very minimal Client Hello, not s_client. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
