SOLVED SSL/TLS Cipher Suite List option in EXIM config has no effect

Operating System & Version
CentOS 7.8.2003
cPanel & WHM Version
11.90.0.16

vlad_

Registered
Feb 13, 2016
3
0
1
new york
cPanel Access Level
Root Administrator
I've been trying to change the preference order of the cipher suites that exim uses when delivering mail to a remote MTA.

I have entered a list of 12 ciphers in the "SSL/TLS Cipher Suite List".

exim_mainlog is showing it using a cipher not on my list, and decode of the network traffic shows it sending a list of 86 cipher suites in the TLS client hello packet.

"Options for OpenSSL" and "SSL/TLS Cipher Suite List" appear to have no effect.

can anyone advise? thanks in advance.


cPanel 11.90.0.16
CentOS 7.8.2003
OpenSSL 1.0.2k-fips 26 Jan 2017

Home -> Service Configuration -> Exim Configuration Manager -> Basic Editor -> Options for OpenSSL:
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

Home -> Service Configuration -> Exim Configuration Manager -> Basic Editor -> SSL/TLS Cipher Suite List:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,101
287
213
cPanel Access Level
Root Administrator
Hey there! Can you let me know specifically how you are checking the number of ciphers? You mention you are seeing 86 cipher suites listed, but I only see 12 in your "SSL/TLS Cipher Suite List" that you've provided. If you have additional details on how you're getting this I'd be happy to try and replicate this on a test system.
 

vlad_

Registered
Feb 13, 2016
3
0
1
new york
cPanel Access Level
Root Administrator
hi.

note that the problem occurs in the TLS as a client scenario, when exim is delivering mail to a remote MTA.
in the TLS as a server scenario, when exim is receiving mail, both "openssl_options" and "tls_require_ciphers" options work as advertised.

there are two ways I see that the problem is happening.

one is the exim_mainlog showing the cipher suite that was used for the transaction is not on my list.

2020-11-02 14:40:26 1kZfgj-0002bs-Tx -> [email protected] R=dkim_lookuphost_NEW T=dkim_remote_smtp H=mx-aol.mail.gm0.yahoodns.net [98.136.96.92] X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 ok dirdel 6/6"
2020-11-02 15:09:11 1kZg8b-0006m8-PN => [email protected] R=dkim_lookuphost_NEW T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [209.85.144.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK x x.x - gsmtp"
2020-11-02 22:02:09 1kZmaE-0007Zl-BW => [email protected] R=dkim_lookuphost_NEW T=dkim_remote_smtp H=mta5.am0.yahoodns.net [67.195.228.111] X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 ok dirdel"

and two, I used tcpdump to to capture traffic. below is decoded "TLS client hello" packet from an exim delivering mail session.

Frame 2397: 362 bytes on wire (2896 bits), 362 bytes captured (2896 bits)
Linux cooked capture
Internet Protocol Version 4, Src: x, Dst: 209.85.144.27
Transmission Control Protocol, Src Port: 43935, Dst Port: 25, Seq: 33, Ack: 253, Len: 294
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 289
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 285
Version: TLS 1.2 (0x0303)
Random: 1b881420df834949a7f65d9edf35510de1f69435591680cb...
GMT Unix Time: Aug 20, 1984 22:21:20.000000000 EDT
Random Bytes: df834949a7f65d9edf35510de1f69435591680cba511f369...
Session ID Length: 0
Cipher Suites Length: 172
Cipher Suites (86 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 72
Extension: ec_point_formats (len=4)
Extension: supported_groups (len=10)
Extension: signature_algorithms (len=32)
Extension: status_request (len=5)
Extension: heartbeat (len=1)
 

vlad_

Registered
Feb 13, 2016
3
0
1
new york
cPanel Access Level
Root Administrator
this is still a problem.

when exim is delivering mail to a remote MTA (exim as a client), and tries to start TLS (TLS as a client), I don't understand where it gets the cipher suites list that it sends in the TLS client hello packet. it's a long list of 86 cipher suites and a number of them are not on the list that I get from openssl ciphers.

I have a new example.
in the exim configuration I have a list 24 cipher suites. my server connects to a remote MTA. issues STARTTLS. sends a list of 86 cipher suites in the TLS client hello. remote MTA picks a cipher suite that is not on the list that I configured. by the way, it is also not on the list when I run openssl ciphers. my MTA issues an error
routines:SSL23_GET_SERVER_HELLO:unsupported protocol
and hangs up to deliver unencrypted.


cPanel 11.90.0.17
CentOS 7.9.2009
Exim 4.93 #2 built 19-May-2020 17:51:08
OpenSSL 1.0.2k-fips 26 Jan 2017

Home -> Service Configuration -> Exim Configuration Manager -> Basic Editor -> Options for OpenSSL:
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +cipher_server_preference

Home -> Service Configuration -> Exim Configuration Manager -> Basic Editor -> SSL/TLS Cipher Suite List:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA

Home -> Service Configuration -> Exim Configuration Manager -> Advanced Editor -> openssl_options:
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +cipher_server_preference

Home -> Service Configuration -> Exim Configuration Manager -> Advanced Editor -> tls_require_ciphers:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA


Code:
exim_mainlog:
2020-11-14 12:40:45 x TLS session: (SSL_connect): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol: delivering unencrypted to H=smtp-in.orange.fr [193.252.22.65] (not in hosts_require_tls)


packet decode:
Code:
3606  45392.911528  x.x.x.x        193.252.22.65  TCP    76    45711 → 25 [SYN] Seq=0 Win=28720 Len=0 MSS=1436 SACK_PERM=1 TSval=4081822238 TSecr=0 WS=128
3607  45393.001178  193.252.22.65  x.x.x.x        TCP    76    25 → 45711 [SYN, ACK] Seq=0 Ack=1 Win=4200 Len=0 MSS=1400 TSval=3352842904 TSecr=4081822238 SACK_PERM=1
3608  45393.001223  x.x.x.x        193.252.22.65  TCP    68    45711 → 25 [ACK] Seq=1 Ack=1 Win=28720 Len=0 TSval=4081822327 TSecr=3352842904
3609  45393.515996  193.252.22.65  x.x.x.x        SMTP   105   S: 220 mwinf5c49 ME ESMTP server ready
3610  45393.516223  x.x.x.x        193.252.22.65  SMTP   90    C: EHLO mail.mydomain.com
3611  45393.607048  193.252.22.65  x.x.x.x        SMTP   216   S: 250-mwinf5c49 hello [x.x.x.x], pleased to meet you | 250-HELP | 250-SIZE 44000000 | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250-STARTTLS | 250 OK
3612  45393.607267  x.x.x.x        193.252.22.65  SMTP   78    C: STARTTLS
3613  45393.698344  193.252.22.65  x.x.x.x        SMTP   98    S: 220 2.0.0 Ready to start TLS
3614  45393.722884  x.x.x.x        193.252.22.65  TLSv1  362   Client Hello
3615  45393.819399  193.252.22.65  x.x.x.x        TLSv1  1516  Server Hello
3616  45393.819493  x.x.x.x        193.252.22.65  TCP    68    45711 → 25 [ACK] Seq=327 Ack=1664 Win=31924 Len=0 TSval=4081823146 TSecr=3352843722
3617  45393.819517  193.252.22.65  x.x.x.x        TLSv1  1456  Certificate [TCP segment of a reassembled PDU]
3618  45393.819709  x.x.x.x        193.252.22.65  TCP    68    45711 → 25 [RST, ACK] Seq=327 Ack=3052 Win=34700 Len=0 TSval=4081823146 TSecr=3352843722

--------------------------------------------------------

Frame 3614: 362 bytes on wire (2896 bits), 362 bytes captured (2896 bits)
Linux cooked capture
Internet Protocol Version 4, Src: x.x.x.x   , Dst: 193.252.22.65
Transmission Control Protocol, Src Port: 45711, Dst Port: 25, Seq: 33, Ack: 216, Len: 294
Secure Sockets Layer
|   TLSv1 Record Layer: Handshake Protocol: Client Hello
|       Content Type: Handshake (22)
|       Version: TLS 1.0 (0x0301)
|       Length: 289
|       Handshake Protocol: Client Hello
|           Handshake Type: Client Hello (1)
|           Length: 285
|           Version: TLS 1.2 (0x0303)
|           Random: 108782fc4d635c8061fd6b75146cddd53a00fd412628bd4f...
|               GMT Unix Time: Oct 15, 1978 12:19:08.000000000 EDT
|               Random Bytes: 4d635c8061fd6b75146cddd53a00fd412628bd4f6a03c542...
|           Session ID Length: 0
|           Cipher Suites Length: 172
|           Cipher Suites (86 suites)
|               Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
|               Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
|               Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
|               Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
|               Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
|               Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
|               Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
|               Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
|               Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
|               Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
|               Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
|               Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
|               Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
|               Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
|               Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
|               Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
|               Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
|               Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
|               Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
|               Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
|               Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
|               Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
|               Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
|               Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
|               Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
|               Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
|               Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
|               Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
|               Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
|               Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
|               Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
|               Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
|               Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
|               Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
|               Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
|               Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
|               Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
|               Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
|               Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
|               Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
|               Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
|               Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
|               Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
|               Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
|               Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
|               Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
|               Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
|               Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
|               Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
|               Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
|               Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
|               Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
|               Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
|               Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
|               Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
|               Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
|               Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
|               Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
|               Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
|               Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
|               Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
|               Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
|               Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
|               Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
|               Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
|               Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
|               Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
|               Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
|               Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
|               Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
|               Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
|               Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
|               Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
|               Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
|               Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
|               Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
|               Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
|               Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
|               Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
|               Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
|               Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
|               Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
|               Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
|               Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
|               Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
|               Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
|           Compression Methods Length: 1
|           Compression Methods (1 method)
|               Compression Method: null (0)
|           Extensions Length: 72
|           Extension: ec_point_formats (len=4)
|               Type: ec_point_formats (11)
|               Length: 4
|               EC point formats Length: 3
|               Elliptic curves point formats (3)
|           Extension: supported_groups (len=10)
|               Type: supported_groups (10)
|               Length: 10
|               Supported Groups List Length: 8
|               Supported Groups (4 groups)
|           Extension: signature_algorithms (len=32)
|               Type: signature_algorithms (13)
|               Length: 32
|               Signature Hash Algorithms Length: 30
|               Signature Hash Algorithms (15 algorithms)
|           Extension: status_request (len=5)
|               Type: status_request (5)
|               Length: 5
|               Certificate Status Type: OCSP (1)
|               Responder ID list Length: 0
|               Request Extensions Length: 0
|           Extension: heartbeat (len=1)
|               Type: heartbeat (15)
|               Length: 1
|               Mode: Peer allowed to send requests (1)

--------------------------------------------------------

Frame 3615: 1516 bytes on wire (12128 bits), 1516 bytes captured (12128 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 193.252.22.65, Dst: x.x.x.x  
Transmission Control Protocol, Src Port: 25, Dst Port: 45711, Seq: 216, Ack: 327, Len: 1448
Secure Sockets Layer
|   TLSv1 Record Layer: Handshake Protocol: Server Hello
|       Content Type: Handshake (22)
|       Version: TLS 1.0 (0x0301)
|       Length: 74
|       Handshake Protocol: Server Hello
|           Handshake Type: Server Hello (2)
|           Length: 70
|           Version: TLS 1.0 (0x0301)
|           Random: 5fb0169d9379331e21cdb38c9767fc06d6d42b6eb097d53a...
|               GMT Unix Time: Nov 14, 2020 12:40:45.000000000 EST
|               Random Bytes: 9379331e21cdb38c9767fc06d6d42b6eb097d53aee6957e0...
|           Session ID Length: 32
|           Session ID: fb6c3a86977463b393a2f9eba58fe2fb3e31a171df221263...
|           Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
|           Compression Method: null (0)

--------------------------------------------------------

Frame 3617: 1456 bytes on wire (11648 bits), 1456 bytes captured (11648 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 193.252.22.65, Dst: x.x.x.x  
Transmission Control Protocol, Src Port: 25, Dst Port: 45711, Seq: 1664, Ack: 327, Len: 1388
[2 Reassembled TCP Segments (2749 bytes): #3615(1369), #3617(1380)]
Secure Sockets Layer
|   TLSv1 Record Layer: Handshake Protocol: Certificate
|       Content Type: Handshake (22)
|       Version: TLS 1.0 (0x0301)
|       Length: 2744
|       Handshake Protocol: Certificate
|           Handshake Type: Certificate (11)
|           Length: 2740
|           Certificates Length: 2737
|           Certificates (2737 bytes)
|               Certificate Length: 1555
|               Certificate: 3082060f308204f7a003020102021003b0c2ea837bb77e76... (id-at-commonName=smtp-in.orange.fr,id-at-organizationalUnitName=Orange,id-at-organizationName=Orange,id-at-localityName=Paris,id-at-countryName=FR)
|                   signedCertificate
|                   algorithmIdentifier (sha256WithRSAEncryption)
|                   Padding: 0
|                   encrypted: 789d2ffdc506a7e2e89c957d0e3e1c2e5406b5077d5b970e...
|               Certificate Length: 1176
|               Certificate: 308204943082037ca003020102021001fda3eb6eca75c888... (id-at-commonName=DigiCert SHA2 Secure Server CA,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
|                   signedCertificate
|                   algorithmIdentifier (sha256WithRSAEncryption)
|                   Padding: 0
|                   encrypted: 233edf4bd23142a5b67e425c1a44cc69d168b45d4be00421...


Code:
[[email protected]]# openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=IDEA(128) Mac=MD5
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
 
Last edited:

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
196
37
103
USA
cPanel Access Level
Root Administrator
To follow up here for any other users following this thread, after submitting a ticket we determined that in order to specify the cipher suites that Exim sends in the "Client Hello," it is necessary to specify tls_require_ciphers in the smtp transport section of the Exim configuration.

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html
tls_require_ciphers Use: smtp Type: string† Default: unset

The value of this option must be a list of permitted cipher suites, for use when setting up an outgoing encrypted connection. (There is a global option of the same name for controlling incoming connections.) The values of $host and $host_address are set to the name and address of the server during the expansion. See chapter 43 for details of TLS; note that this option is used in different ways by

The Transports section can be accessed in the Advanced Editor of the Exim Configuration Manager in WHM, as shown in the screenshot I attached here.

Thank you @vlad_ for your patience while we investigated this with you!
 

Attachments

  • Like
Reactions: cPRex