> You may want to use this tool on your mail server(so it picks up the > same openssl version) to check what cyphers the mil server accepts: > https://testssl.sh/
I'm not sure how this would help. The problem occurs with them trying to send mail to us. I know what ciphers we offer, what I don't know is what they don't like about our cipher list. Sure I can use this script to connect back to them to see what they're incoming servers accept, but we don't have a problem with that, it's only when they connect to us that they bail out with the "Certificate rejected over TLS" error. Also based on what I've heard from others, they're quite happy to connect to other servers with a secure TLSv1.2 cipher, one that we actually offer. So why are they failing to use that cipher when connecting to us? The client gets to choose, so the only thing I can think of is they're trying to connect with a weaker cipher first, seeing we accept, and then aborting any attempt to send us email at all. Sounds very strange. Hmmm, "Certificate rejected"... that doesn't sound like a cipher error either does it. Of course, you never can be sure with error messages, though I wonder if they just don't like wildcard certificates or something like that? More likely, there's some subtle protocol level incompatibility going on somewhere that's going to be painful to debug. Rob Mueller r...@fastmail.fm
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
