2.3.2.1 - EC keys suppport?
ѽ҉ᶬḳ℠
vtol at gmx.net
Mon Jul 30 20:22:47 EEST 2018
>>>>>> facing [ no shared cipher ] error with EC private keys.
>>>>> the client connecting to your instance has to support ecdsa
>>>>>
>>>>>
>>>> It does - Thunderbird 60.0b10 (64-bit)
>>>>
>>>> [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ]
>>>>
>>>> It seems there is a difference between the private key (rsa vs. ecc ->
>>>> SSL_CTX?) used for the certificate signing request and the signed
>>>> certificate.
>>>>
>>>> The csr created from a private key with [ openssl genpkey -algorithm RSA
>>>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error.
>>>>
>>>> But as stated in the initial message it does not work if the private key
>>>> for the csr is generated with [ openssl ecparam -name brainpoolP512t1
>>>> -genkey ].
>>>>
>>>>
>>> Can you try, with your ECC cert,
>>>
>>> openssl s_client -connect server:143 -starttls imap
>>>
>>> and paste result?
>>>
>> This is for the certificate where the csr is generated with an EC
>> private key and the [ no shared cipher ] error:
>>
>> CONNECTED(00000003)
>> write:errno=0
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 309 bytes and written 202 bytes
>> Verification: OK
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : 0000
>> Session-ID:
>> Session-ID-ctx:
>> Master-Key:
>> PSK identity: None
>> PSK identity hint: None
>> SRP username: None
>> Start Time: 1532969474
>> Timeout : 7200 (sec)
>> Verify return code: 0 (ok)
>> Extended master secret: no
>>
>> ---
>>
>> and this for the certificate where the csr is generated with a RSA
>> private key:
>>
>> CONNECTED(00000003)
>> depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
>> foo.bar Mail IMAP
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
>> foo.bar Mail IMAP
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
>> i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> [ truncated ]
>> -----END CERTIFICATE-----
>> subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
>> issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
>> ---
>> No client certificate CA names sent
>> Peer signing digest: SHA512
>> Server Temp Key: X25519, 253 bits
>> ---
>> SSL handshake has read 2361 bytes and written 295 bytes
>> Verification error: unable to verify the first certificate
>> ---
>> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>> Server public key is 4096 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>> Session-ID:
>> C23E6478F4C6372F2A524504031B32EDC9FDCAA343AE5017A09E47C5E7B60DD6
>> Session-ID-ctx:
>> Master-Key: [ obfuscated ]
>> PSK identity: None
>> PSK identity hint: None
>> SRP username: None
>> Start Time: 1532969755
>> Timeout : 7200 (sec)
>> Verify return code: 21 (unable to verify the first certificate)
>> Extended master secret: yes
>> ---
>> . OK Pre-login capabilities listed, post-login capabilities have more.
>>
>>
>>
> Can you configure ssl_cipher_list = ALL and try again? Also, can you send the *PUBLIC* part of the certificate?
>
[ ssl_cipher_list = ALL ] set/applied
This is for the certificate where the csr is generated with an EC private key and the [ no shared cipher ] error:
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 309 bytes and written 202 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532970888
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
and this for the certificate where the csr is generated with a RSA
private key:
CONNECTED(00000003)
depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
foo.bar Mail IMAP
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
foo.bar Mail IMAP
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFIjCCBIagAwIBAgICEAYwCgYIKoZIzj0EAwQwWTELMAkGA1UEBhMCMDAxCzAJ
BgNVBAgMAkNIMRAwDgYDVQQKDAd2dG9sLm1lMQ8wDQYDVQQLDAZTZXJ2ZXIxGjAY
BgNVBAMMEUlNIFNlcnZlciB2dG9sLm1lMB4XDTE4MDczMDExMTE1NloXDTE5MDcz
MDExMTE1NlowazELMAkGA1UEBhMCMDAxCzAJBgNVBAgMAkNIMQswCQYDVQQHDAJE
QzEQMA4GA1UECgwHdnRvbC5tZTENMAsGA1UECwwEbWFpbDEhMB8GA1UEAwwYU2Vy
dmVyIHZ0b2wubWUgTWFpbCBJTUFQMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAx3Rr6Goz0xHmRGwTC5XWvTYLLXli9nhaSqpfSXSBNembIpAJMQxeZKS5
T1VI1Kufp5HIpBFAXKo/yAMNS4E+LtctX2ITsZD1sUJw20J7TJtDR6mX7qiNJTlT
FXHx5VZWLp2Jv3Wlw85iNUoRcIY2IB3Q9KACTPlMl8Be9BPYAevgyqh5d67LFgwf
77Soq4ppa0sLxTUf1Lyh9lvpIRdDnDhs749PlLrgWIagra2ONdesOlwMOANjn5+8
sKnooVlwsygDEIu2QWYeAJO43GWFMiMtb4sAii52fwbwzLNOA/jF1EDz2zbimBMc
Tcy430CucN7wYQQa8KVU/EdaYXsDRFLPfyvkFw/1GKOm4MzCBNUp3soqMgFCNWix
HwGw82hzMadXqKHwosSoDa291hpboxppYwqohG4rlbLNXZKINTrIYgh4EldI3HGy
YhikuVVODa254DLoj/iS2A7ZWpvDGGqirEMEZEJi9pdO3E5CUctiZFe0zrKk6xX7
VfQq+wZzN2F6LFVyLEIR238FOKfUdoHP5i4d+2HIzUC1ZTYXLMrmC8aLPnvQLKmO
lS8+EPrFz4LTTvw6Tt5oO0TH51FruLRRfp545yuT/7MOt4pf9jXjvuTrQDVTp+z2
6+nZZ5rxv1mAB/d0DvCg3sS3QxnzytmzlE0WVODb9zl0HNVz2GkCAwEAAaOCAV8w
ggFbMAkGA1UdEwQCMAAwHQYDVR0OBBYEFD+YAO8k3NK95IXhPgriJNfICQDuMIGR
BgNVHSMEgYkwgYaAFLcvDVPejjtNaMC39YNvdzbHnbWZoWqkaDBmMQswCQYDVQQG
EwIwMDELMAkGA1UECAwCQ0gxCzAJBgNVBAcMAkRDMRAwDgYDVQQKDAd2dG9sLm1l
MQ8wDQYDVQQLDAZTZXJ2ZXIxGjAYBgNVBAMMEUNBIFNlcnZlciB2dG9sLm1lggIQ
ADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYIKwYBBQUH
ARgEBTADAgERMEYGA1UdHwQ/MD0wO6A5oDeGNWZpbGU6L2V0Yy9wa2kvdnRvbC5t
ZS9zZXJ2ZXIvaW0vY3JsL2ltX3NlcnZlci5jcmwucGVtMBsGA1UdEQQUMBKHBKwY
bQaCBG1haWyCBGltYXAwCgYIKoZIzj0EAwQDgYkAMIGFAkEAml53KubdaDmaiUXz
ir5NvZmQ8/0B9UbcSKbJq30HJYhx4gotbSYU8LuEYBzAthzHwnQ0FyHV5rZPo4Gp
RBEFkgJAfYk9C3w0urb6KE+e+bFXHketkG+P5aQyUw2kWKI7GikRX2mS5ZbSGNfe
7Q79jSPczn3gguffxmoSW/idw5BpCw==
-----END CERTIFICATE-----
subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2361 bytes and written 295 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
9636556EDC5BA951A6EE3BCAB17BCFAEEE8B380C097EC0C7F20D68BAF2775782
Session-ID-ctx:
Master-Key: [ obfuscated ]
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532971172
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
. OK Pre-login capabilities listed, post-login capabilities have more.
More information about the dovecot
mailing list