On 03/10/2022 18:08, Jeremy Harris via Exim-users wrote:
Could the min/max protocol stuff mentioned in https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html be affecting it? Exim has no SSL_CONF_* calls currently; probably never has in it's history.
Bingo. The value given by SSL_CTX_get_max_proto_version() is TLS1_2_VERSION. If I slam a SSL_CTX_set_max_proto_version() call for SSL_v3 in right before twiddling the option bits, all is good. I conclude: - the limit value is kept separate from the bitfield setting the same essential information, in the library - this is a poor choice - any application written before those limit value APIs were introduced and which did it's own bit-setting (as documented) configuration for TLS versions, will be broken in the same way. Back-compatibility? What does that mean? - the *lack* of documentation that the limit value overrides the bitfield, having made the choice to keep them separate is... words fail me. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
