On Fri, Jun 06, 2025 at 12:46:18PM +0200, Cyborg via Exim-users wrote:
> > > I pretty sure, you are right about the RSE Kx limitation , but s_client
> > > should enforce that too???
> > You're still muddled.
> >
>
> No, not any longer \o/ : Found it.
No, you're still confused.
> In my case, sending mails out was using 'HIGH' asĀ cipherlist, but even
> 'DEFAULT' would not allow the connection. So s_client just allows all
> ciphers for testing, which makes sense for a test tool.
You have to more specific, Fedora's `s_client` is *more* restrictive
than OpenSSL upstream without the crypto-policy patches. Fedora's TLS
library disables RSA key exchance, and negotiates DHE, but the server's
DH groups is too weak and the connection fails. Exim, linked with the
same library likewise fails to complete the handshake.
OpenSSL upstream `s_client` is more permissive, allows RSA key exchange,
preferred by the server, and completes the handhake with the cipher that
was the subject of protocol version confusion upthread.
--
Viktor.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
