2.3.2.1 - EC keys suppport?

ѽ҉ᶬḳ℠ vtol at gmx.net
Mon Jul 30 11:32:22 EEST 2018


>>>> facing [ no shared cipher ] error with EC private keys.
>>> the client connecting to your instance has to support ecdsa
>>>
>>>
>> It does - Thunderbird 60.0b10 (64-bit)
>>
>> [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ]
>>
>> It seems there is a difference between the private key (rsa vs. ecc ->
>> SSL_CTX?) used for the certificate signing request and the signed
>> certificate.
>>
>> The csr created from a private key with [ openssl genpkey -algorithm RSA
>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error.
>>
>> But as stated in the initial message it does not work if the private key
>> for the csr is generated with [ openssl ecparam -name brainpoolP512t1
>> -genkey ].
>>
>>
>
> Can you show doveconf ssl_cipher_list?
>

Tried several variations, e.g. ALL, ALL:HIGH:MEDIUM:LOW and right now
set to
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
which is working fine when the csr was created from a private key with
RSA algorithm but not if csr key is generated with an EC key.






More information about the dovecot mailing list