Thanks a lot for responding. hmmm, I put the cipherlists you mentioned in my access database using tls_clt_features CipherList= ... and I even put tls_server_features with those ciphers but no joy. My openssl version is 1.1.1d-0+deb10u2 and has not been updated since October.
On Fri, 24 Jan 2020 00:06:18 -0500, ml+mailop--- via mailop wrote: > > On Thu, Jan 23, 2020, John Covici via mailop wrote: > > > Jan 23 17:51:33 debian-2 sm-mta[7625]: STARTTLS=client, error: connect > > failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 > > AFAICT it's the key from "the other side" that openssl is complaining > about -- did you recently upgrade it? > > You could disable the DHE ciphers, e.g. something like this > (note: you have to "match" this with your openssl version > and the ciphers it supports): > > O > CiphersList=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES128-SHA:DES-CBC3-SHA > > Note that that must be one very long line. > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
