Exim port 465 TLSv1 and TLSv1.1 not allowed

[mmgenius]

We have setup a new CentOS 8 server and we have noticed that exim doesn't allow TLSv1 and TLSv1.1 connections on port 465.
On an older server (CentOS 7) with the same exim version and exim.conf version exim does allow TLSv1 and TLSv1.1 on port 465.
On port 993 TLSv1 and TLSv1.1 works

CentOS 8 server
- exim 4.92.3
- exim.conf 4.5.18
- openssl 1.1.1

CentOS 7 server
- exim 4.92.3
- exim.conf 4.5.18
- openssl 1.0.2k

tests:
openssl s_client -connect localhost:465 -tls1
--> Error:
140179698976576:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1528:SSL alert number 70

openssl s_client -connect localhost:465 -tls1_1
--> Error:
140519893247808:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1528:SSL alert number 70

openssl s_client -connect localhost:465 -tls1_2
--> No Error

openssl s_client -connect localhost:993 -tls1
--> No Error

openssl s_client -connect localhost:993 -tls1_1
--> No Error

openssl s_client -connect localhost:993 -tls1_1
--> No Error

On the CentOS 7 server, all test are with No Error

I already search but I can't find any message a not allowing TLSv1 and TLSv1.1 connections in CentOS 8 and openssl 1.1.1

Does anyone has a idea what could be the problem?

Kind regards,
Maarten

 

[mmgenius]

Ok, I found the problem (reading the feature request forum )

The problem is systemwide crypto policies that is added in CentOS 8 (https://access.redhat.com/documenta...ide-cryptographic-policies_security-hardening)

It was set to DEFAULT and when we changed it to LEGACY it works.

 

[ikkeben]

YUP i did post some here in forum about that changes .
ONe here

Knowledge base and help howto files renew or adding parts for use with CENTOS 8.

Some parts of manuals , howto's faq,s are to old for when using CENTOS8 NetworkManager and crypto policies .. ONE important Example here https://help.directadmin.com/item.php?id=418 Manually adding an additional IP to a specific network device is not the way to go with centos 8, where...

forum.directadmin.com

Install DA on CENTOS 8 v2 selinux and howto / docu and EPEL

Please take care here or in docu / wiki for a howto with more infos about new, changed and depricated stuff. Also for hardening CENTOS 8 in combination with DA? Some cipher parts in configs are different. SELINUX is default in and on enforce. Maybe if possible at all to have a DA config for...

forum.directadmin.com

Disable TLS 1.1 as default

Please consider this feature request: Please disable TLS 1.1 as default in DirectAdmin before the end of the year. The argument is that all major browsers will disable TLS 1.1 support at the beginning of 2020, here is the deadlines (the browsers will disasble TLS 1.0 and TLS 1.1 by those...

forum.directadmin.com