On Wed, May 28, 2025 at 11:05:45PM +0300, Viktor Ustiuhov via Exim-users wrote:
> There has been a lot of discussion on this list about the risks of using
> legacy TLS protocol versions. But what about supporting new TLS
> features, such as hybrid post-quantum key exchange?
>
> System-wide configuration of TLS groups (e.g., via openssl.cnf) is
> already possible, and that may be sufficient in many cases. However, as
> Viktor Dukhovni pointed out in mai...@mailop.org, there are
> interoperability issues with some MX hosts when hybrid TLS groups are used.
>
> This makes it highly desirable to have per-transport TLS group control
> in Exim — specifically in the remote_smtp transport. For outgoing mail,
> this would allow selecting different sets of elliptic curves and
> post-quantum or hybrid TLS groups depending on the destination. In
> practice, this would involve using the SSL_set1_groups_list() function,
> which supports both classic curves (e.g., X25519, secp256r1) and newer
> hybrid/post-quantum groups (e.g., X25519MLKEM768, mlkem768, etc.).
>
> For incoming mail, it may also be useful to support such groups. In this
> case, OpenSSL requires the use of SSL_CTX_set1_groups_list() (rather
> than SSL_CTX_set1_groups()) to specify TLS groups that do not have a
> numeric identifier (NID).
One approach that is likely to work-around PQ-impedance is to set the
protocol version to TLSv1.2 (fixed or ceiling). In that case, PQ
keyshares aren't sent and STARTTLS works with "boeing.com" (still
hangs with default TLS 1.3 connections under OpenSSL 3.5).
--
Viktor.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
