2.3.2.1 - EC keys suppport?

ѽ҉ᶬḳ℠ vtol at gmx.net
Mon Jul 30 20:01:25 EEST 2018


>>>> facing [ no shared cipher ] error with EC private keys.
>>> the client connecting to your instance has to support ecdsa
>>>
>>>
>> It does - Thunderbird 60.0b10 (64-bit)
>>
>> [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ]
>>
>> It seems there is a difference between the private key (rsa vs. ecc ->
>> SSL_CTX?) used for the certificate signing request and the signed
>> certificate.
>>
>> The csr created from a private key with [ openssl genpkey -algorithm RSA
>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error.
>>
>> But as stated in the initial message it does not work if the private key
>> for the csr is generated with [ openssl ecparam -name brainpoolP512t1
>> -genkey ].
>>
>>
> Can you try, with your ECC cert,
>
> openssl s_client -connect server:143 -starttls imap
>
> and paste result?
>

This is for the certificate where the csr is generated with an EC
private key and the [ no shared cipher ] error:

CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 309 bytes and written 202 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1532969474
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

---

and this for the certificate where the csr is generated with a RSA
private key:

CONNECTED(00000003)
depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
foo.bar Mail IMAP
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
foo.bar Mail IMAP
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
   i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
---
Server certificate
-----BEGIN CERTIFICATE-----
[ truncated ]
-----END CERTIFICATE-----
subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2361 bytes and written 295 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
C23E6478F4C6372F2A524504031B32EDC9FDCAA343AE5017A09E47C5E7B60DD6
    Session-ID-ctx:
    Master-Key: [ obfuscated ]
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1532969755
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---
. OK Pre-login capabilities listed, post-login capabilities have more.





More information about the dovecot mailing list