On 27/03/2020 21:52, Viktor Dukhovni wrote: > On Fri, Mar 27, 2020 at 09:25:28PM +0000, Jeremy Harris wrote: > >>> If the distro started with 1.1.1 and only backported security fixes, you >>> could be running an OpenSSL version with the unintentional bidirectional >>> setting. >> >> .. either this, or even an unpatched basic 1.1.1 . >> >> A simple code addition to avoid that call in the client case sounds >> in order. Testing, it appears to work - I get resumption and not that error. And the Exim testsuite shows no regressions, at least on my laptop (which is Fedora 31, with 1.1.1d). >>> Another possibility is that your system-wide openssl.cnf file has a >>> "RequestCAFile" or "ClientCAFile" setting. >> >> Neither appears to be present in /etc/pki/tls/openssl.cnf > > And neither has any ".include" directives? One, but that file doesn't have either string, either. -- Cheers, Jeremy
