On 30 July 2018 at 20:01 ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
facing [ no shared cipher ] error with EC private keys. the client connecting to your instance has to support ecdsa
It does - Thunderbird 60.0b10 (64-bit)
[ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ]
It seems there is a difference between the private key (rsa vs. ecc -> SSL_CTX?) used for the certificate signing request and the signed certificate.
The csr created from a private key with [ openssl genpkey -algorithm RSA ] and signed by a CA with [ ecdhe_ecdsa ] works with no error.
But as stated in the initial message it does not work if the private key for the csr is generated with [ openssl ecparam -name brainpoolP512t1 -genkey ].
Can you try, with your ECC cert,
openssl s_client -connect server:143 -starttls imap
and paste result?
This is for the certificate where the csr is generated with an EC private key and the [ no shared cipher ] error:
CONNECTED(00000003) write:errno=0
no peer certificate available
No client certificate CA names sent
SSL handshake has read 309 bytes and written 202 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1532969474 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no
and this for the certificate where the csr is generated with a RSA private key:
CONNECTED(00000003) depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server foo.bar Mail IMAP verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server foo.bar Mail IMAP verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
Server certificate -----BEGIN CERTIFICATE----- [ truncated ] -----END CERTIFICATE----- subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits
SSL handshake has read 2361 bytes and written 295 bytes Verification error: unable to verify the first certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: C23E6478F4C6372F2A524504031B32EDC9FDCAA343AE5017A09E47C5E7B60DD6 Session-ID-ctx: Master-Key: [ obfuscated ] PSK identity: None PSK identity hint: None SRP username: None Start Time: 1532969755 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes
. OK Pre-login capabilities listed, post-login capabilities have more.
Can you configure ssl_cipher_list = ALL and try again? Also, can you send the *PUBLIC* part of the certificate?
Aki