Bug#968145: exim4: no TLS1.2 DHE ciphers from openssl client

[Slavko]

Package: exim4
Severity: important
Version: 4.94-6~bpo10+1

Recently i start to play with exim's tls_require_ciphers and i noticed,
that there are missing DHE-RSA cipher suites in sslscan's output. I
initially think, that it is an sslscan problem and reported this into
it. But with help of sslscan's dev we found, that it is exim's problem,
see full details in https://github.com/rbsec/sslscan/issues/214 

I tried to contact exim's dev over IRC too, but i got no response at
all.

Whole story in short, we did tests with gnutls-cli client, openssl
s_client against both, the gnutls-server and exim using DHE cipher with
these results:

+ gnutls client > gnutls server works
+ gnutls client > exim works
+ openssl client > gnutls server works
+ openssl client > exim fails

I did all tests with
"PFS:-GROUP-DH-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE3072:+GROUP-FFDHE4096:-VERS-TLS1.0:-VERS-TLS1.1:-SIGN-RSA-SHA1"
priority string in both, the exim and the gnutls server, but the
priority string doesn't matter, the results are the same with default
one. When i enabled "-d+tls" i see nothing useful there, the gnutls
reports 23 cipher suites initialized, which corresponds to the ciphers
list for given priority string, but then reports that cannot establish
connection.

I set version of package from buster backports with which i did all
mentioned tests, but i got the same results with current testing
version.

I set severity to important, because it significantly reduces amount of
available cipher suites, which can leads to compatibility problems
(IMO).

regards

-- 
Slavko
http://slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digitálny podpis OpenPGP
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20200809/d975c507/attachment.sig>