Ja, ich weiß, Ihr könnt es nicht mehr lesen, der xte Mailserver der keine TLS 1.2 kann, nur leider hat der hier eggs.gnu.org eine wichtige Rolle, der handelt nämlich Emails für gnu.org . Kein TLS 1.2 , keine Emails mehr aus Europa.
„.. und dabei ist FOSS & TLS 1.2 kein Widerspruch.“
Trying TLS on eggs.gnu.org[209.51.188.92:25] (10):
| seconds | | test stage and result |
|---|
| [000.007] | | Connected to server |
| [000.167] | <– | 220 eggs.gnu.org ESMTP Exim 4.71 Sat, 09 Feb 2019 11:54:20 -0500 |
| [000.167] | | We are allowed to connect |
| [000.167] | –> | EHLO www6.CheckTLS.com |
| [000.174] | <– | 250-eggs.gnu.org Hello www6.checktls.com [159.89.187.50]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP |
| [000.174] | | We can use this server |
| [000.175] | | TLS is an option on this server |
| [000.175] | –> | STARTTLS |
| [000.185] | <– | 220 TLS go ahead |
| [000.186] | | STARTTLS command works on this server |
| [000.275] | | Connection converted to SSL |
| | SSLVersion in use: TLSv1 |
| | Cipher in use: DHE-RSA-AES256-SHA |
| | Certificate 1 of 3 in chain: Cert VALIDATED: ok |
| | Cert Hostname VERIFIED (eggs.gnu.org = eggs.gnu.org | DNS:eggs.gnu.org | DNS:mail.gnu.org) |
| | cert not revoked by CRL |
| | cert not revoked by OCSP |
| | serialNumber=03:f9:06:4d:6c:6d:1e:1c:83:03:50:8a:32:c0:d5:a9:da:99 |
| | subject= /CN=eggs.gnu.org |
| | issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3 |
| | Certificate 2 of 3 in chain: Cert VALIDATED: ok |
| | cert not revoked by CRL |
| | cert not revoked by OCSP |
| | serialNumber=0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08 |
| | subject= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3 |
| | issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 |
| | Certificate 3 of 3 in chain: Cert VALIDATED: ok |
| | cert not revoked by CRL |
| | cert not revoked by OCSP |
| | serialNumber=44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b |
| | subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 |
| | issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 |
wenn man mal genauer hinsieht mit : „openssl s_client -connect eggs.gnu.org:25 -starttls smtp -tls1“
Subject=/CN=eggs.gnu.org
….
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
….
250 HELP
sieht dann auch, daß der Cipher noch aus SSLv3 Zeiten stammt, was nicht verwundert, weil TLS 1.0 nur SSLv3 mit SNI Support ist.
Falls jemand von Euch jemand den GNU Leuten Emails schicken will, machts gleich in Klartext 😀
