On 2012-05-30 Norbert Preining <prein...@logic.at> wrote: > On Di, 29 Mai 2012, Andreas Metzler wrote: [...] > > gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \ > > smtp.jaist.ac.jp -p 465 [...] > The only hickup was that at then end > > connect if the SSL/settings are modified (for 4.77 > > gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in > > experimental) simply set tls_require_ciphers to the abovementioned > > priority string.)
> Now I tried to convince exim to do the same, but without success. > According to your remarks I set the foillowing variables in > /etc/exim4/conf.d/main/000_localmacros > DCsmarthost=smtp.jaist.ac.jp::465 > gnutls_compat_mode=true > gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 Two things: * gnutls_require_protocols does not accept a GnuTLS string, it is a different syntax. "TLS1.0:SSL3 * The respective setting needs to be on the transport. (The corresponding main configuration settings apply when exim is accepting mail on the SMTP port.) http://www.exim.org/exim-html-current/doc/html/spec_html/ch39.html#SECTreqciphgnu [...] > ----------------------------- > One more thing: I want to complain to the tech staff here: can you > tell me what else, besides the fact that TLS1.1 and TLS1.2 are not > supported, I can tell them? [...] Nothing specific. I wozuld just hit them with the fact that openssl s_client -connect smtp.jaist.ac.jp:465 fails. This should give more incentive than bringing in GnuTLS, which is far less used. There are broken servers around (see e.g. <http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5993>). cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
