Am 21.10.2013 23:49, schrieb li...@rhsoft.net: > i hate it to ask but is there any change postfix avoids ECDHE for such > destinations > in case of this situation and continues to use DHE if the requested curve is > not > available in the linked openssl library? > >>> as far as i can see in all 8 cases currently to GMX >>> >>> Oct 21 22:29:22 mail postfix/smtp[12289]: SSL_connect error to >>> mx00.gmx.net[213.165.67.99]:25: -1 >> When I test connections to this host, I always get "AES256-SHA", >> and no EDH or kEECDH ciphers are accepted. Did gmx.de change their >> configuration to work around this? Can you build posttls-finger (from 2.11) >> and test with: >> >> $ posttls-finger -t30 -T 180 -p TLSv1.2 -Ldebug \ >> -o tls_medium_cipherlist='kEECDH:kEDH:kRSA' \ >> "[213.165.67.99]" >> >> do you get handshake failures? > > no "posttls-finger" here but the logs below are a clear language i think > Oct 21 20:16:43 Updated: 1:openssl-libs-1.0.1e-28.fc18.x86_64 > > Oct 21 19:08:27 mail postfix/smtp[13875]: Trusted TLS connection established > to mx00.gmx.net[213.165.67.99]:25: > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Oct 21 19:36:37 mail postfix/smtp[15749]: Trusted TLS connection established > to mx00.gmx.net[213.165.67.99]:25: > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Oct 21 19:59:48 mail postfix/smtp[17217]: Trusted TLS connection established > to mx00.gmx.net[213.165.67.99]:25: > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > > https://bugzilla.redhat.com/show_bug.cgi?id=1019390#c3
also interesting, from one postfix to another using the same postfix/openssl builds exactly the same previously to GMX used ciphers are still fine - leaves the question open what exactly does "mx00.gmx.net" differently to fail now Oct 21 23:52:45 localhost postfix/smtp[27178]: Trusted TLS connection established to *****:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
