Recently i start to play with exim's tls_require_ciphers and i noticed, that there are missing DHE-RSA cipher suites in sslscan's output. I initially think, that it is an sslscan problem and reported this into it. But with help of sslscan's dev we found, that it is exim's problem, see full details in https://github.com/rbsec/sslscan/issues/214 I tried to contact exim's dev over IRC too, but i got no response at all. Whole story in short, we did tests with gnutls-cli client, openssl s_client against both, the gnutls-server and exim using DHE cipher with these results: + gnutls client > gnutls server works + gnutls client > exim works + openssl client > gnutls server works + openssl client > exim fails I did all tests with "PFS:-GROUP-DH-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE3072:+GROUP-FFDHE4096:-VERS-TLS1.0:-VERS-TLS1.1:-SIGN-RSA-SHA1" priority string in both, the exim and the gnutls server, but the priority string doesn't matter, the results are the same with default one. When i enabled "-d+tls" i see nothing useful there, the gnutls reports 23 cipher suites initialized, which corresponds to the ciphers list for given priority string, but then reports that cannot establish connection. I set version of package from buster backports with which i did all mentioned tests, but i got the same results with current testing version. I set severity to important, because it significantly reduces amount of available cipher suites, which can leads to compatibility problems (IMO). regards