2.3.2.1 - EC keys suppport?

Aki Tuomi aki.tuomi at dovecot.fi
Mon Jul 30 20:48:40 EEST 2018


> On 30 July 2018 at 20:37 ѽ҉ᶬḳ℠ <vtol at gmx.net> wrote:
> 
> 
> 
> >>>>>>> facing [ no shared cipher ] error with EC private keys.
> >>>>>> the client connecting to your instance has to support ecdsa
> >>>>>>
> >>>>>>
> >>>>> It does - Thunderbird 60.0b10 (64-bit)
> >>>>>
> >>>>> [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ]
> >>>>>
> >>>>> It seems there is a difference between the private key (rsa vs. ecc ->
> >>>>> SSL_CTX?) used for the certificate signing request and the signed
> >>>>> certificate.
> >>>>>
> >>>>> The csr created from a private key with [ openssl genpkey -algorithm RSA
> >>>>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error.
> >>>>>
> >>>>> But as stated in the initial message it does not work if the private key
> >>>>> for the csr is generated with [ openssl ecparam -name brainpoolP512t1
> >>>>> -genkey ].
> >>>>>
> >>>>>
> >>>> Can you try, with your ECC cert,
> >>>>
> >>>> openssl s_client -connect server:143 -starttls imap
> >>>>
> >>>> and paste result?
> >>>>
> >>> This is for the certificate where the csr is generated with an EC
> >>> private key and the [ no shared cipher ] error:
> >>>
> >>> CONNECTED(00000003)
> >>> write:errno=0
> >>> ---
> >>> no peer certificate available
> >>> ---
> >>> No client certificate CA names sent
> >>> ---
> >>> SSL handshake has read 309 bytes and written 202 bytes
> >>> Verification: OK
> >>> ---
> >>> New, (NONE), Cipher is (NONE)
> >>> Secure Renegotiation IS NOT supported
> >>> Compression: NONE
> >>> Expansion: NONE
> >>> No ALPN negotiated
> >>> SSL-Session:
> >>>     Protocol  : TLSv1.2
> >>>     Cipher    : 0000
> >>>     Session-ID:
> >>>     Session-ID-ctx:
> >>>     Master-Key:
> >>>     PSK identity: None
> >>>     PSK identity hint: None
> >>>     SRP username: None
> >>>     Start Time: 1532969474
> >>>     Timeout   : 7200 (sec)
> >>>     Verify return code: 0 (ok)
> >>>     Extended master secret: no
> >>>
> >>> ---
> >>>
> >>> and this for the certificate where the csr is generated with a RSA
> >>> private key:
> >>>
> >>> CONNECTED(00000003)
> >>> depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
> >>> foo.bar Mail IMAP
> >>> verify error:num=20:unable to get local issuer certificate
> >>> verify return:1
> >>> depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
> >>> foo.bar Mail IMAP
> >>> verify error:num=21:unable to verify the first certificate
> >>> verify return:1
> >>> ---
> >>> Certificate chain
> >>>  0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
> >>>    i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
> >>> ---
> >>> Server certificate
> >>> -----BEGIN CERTIFICATE-----
> >>> [ truncated ]
> >>> -----END CERTIFICATE-----
> >>> subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
> >>> issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
> >>> ---
> >>> No client certificate CA names sent
> >>> Peer signing digest: SHA512
> >>> Server Temp Key: X25519, 253 bits
> >>> ---
> >>> SSL handshake has read 2361 bytes and written 295 bytes
> >>> Verification error: unable to verify the first certificate
> >>> ---
> >>> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> >>> Server public key is 4096 bit
> >>> Secure Renegotiation IS supported
> >>> Compression: NONE
> >>> Expansion: NONE
> >>> No ALPN negotiated
> >>> SSL-Session:
> >>>     Protocol  : TLSv1.2
> >>>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> >>>     Session-ID:
> >>> C23E6478F4C6372F2A524504031B32EDC9FDCAA343AE5017A09E47C5E7B60DD6
> >>>     Session-ID-ctx:
> >>>     Master-Key: [ obfuscated ]
> >>>     PSK identity: None
> >>>     PSK identity hint: None
> >>>     SRP username: None
> >>>     Start Time: 1532969755
> >>>     Timeout   : 7200 (sec)
> >>>     Verify return code: 21 (unable to verify the first certificate)
> >>>     Extended master secret: yes
> >>> ---
> >>> . OK Pre-login capabilities listed, post-login capabilities have more.
> >>>
> >>>
> >>>
> >> Can you configure ssl_cipher_list = ALL and try again? Also, can you send the *PUBLIC* part of the certificate?
> >>
> > [ ssl_cipher_list = ALL ] set/applied
> >
> > This is for the certificate where the csr is generated with an EC private key and the [ no shared cipher ] error:
> >
> > CONNECTED(00000003)
> > write:errno=0
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 309 bytes and written 202 bytes
> > Verification: OK
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : 0000
> >     Session-ID:
> >     Session-ID-ctx:
> >     Master-Key:
> >     PSK identity: None
> >     PSK identity hint: None
> >     SRP username: None
> >     Start Time: 1532970888
> >     Timeout   : 7200 (sec)
> >     Verify return code: 0 (ok)
> >     Extended master secret: no
> >
> > ---
> >
> > and this for the certificate where the csr is generated with a RSA
> > private key:
> >
> > CONNECTED(00000003)
> > depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
> > foo.bar Mail IMAP
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server
> > foo.bar Mail IMAP
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > ---
> > Certificate chain
> >  0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
> >    i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
> > ---
> > Server certificate
> > -----BEGIN CERTIFICATE-----
> > MIIFIjCCBIagAwIBAgICEAYwCgYIKoZIzj0EAwQwWTELMAkGA1UEBhMCMDAxCzAJ
> > BgNVBAgMAkNIMRAwDgYDVQQKDAd2dG9sLm1lMQ8wDQYDVQQLDAZTZXJ2ZXIxGjAY
> > BgNVBAMMEUlNIFNlcnZlciB2dG9sLm1lMB4XDTE4MDczMDExMTE1NloXDTE5MDcz
> > MDExMTE1NlowazELMAkGA1UEBhMCMDAxCzAJBgNVBAgMAkNIMQswCQYDVQQHDAJE
> > QzEQMA4GA1UECgwHdnRvbC5tZTENMAsGA1UECwwEbWFpbDEhMB8GA1UEAwwYU2Vy
> > dmVyIHZ0b2wubWUgTWFpbCBJTUFQMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
> > CgKCAgEAx3Rr6Goz0xHmRGwTC5XWvTYLLXli9nhaSqpfSXSBNembIpAJMQxeZKS5
> > T1VI1Kufp5HIpBFAXKo/yAMNS4E+LtctX2ITsZD1sUJw20J7TJtDR6mX7qiNJTlT
> > FXHx5VZWLp2Jv3Wlw85iNUoRcIY2IB3Q9KACTPlMl8Be9BPYAevgyqh5d67LFgwf
> > 77Soq4ppa0sLxTUf1Lyh9lvpIRdDnDhs749PlLrgWIagra2ONdesOlwMOANjn5+8
> > sKnooVlwsygDEIu2QWYeAJO43GWFMiMtb4sAii52fwbwzLNOA/jF1EDz2zbimBMc
> > Tcy430CucN7wYQQa8KVU/EdaYXsDRFLPfyvkFw/1GKOm4MzCBNUp3soqMgFCNWix
> > HwGw82hzMadXqKHwosSoDa291hpboxppYwqohG4rlbLNXZKINTrIYgh4EldI3HGy
> > YhikuVVODa254DLoj/iS2A7ZWpvDGGqirEMEZEJi9pdO3E5CUctiZFe0zrKk6xX7
> > VfQq+wZzN2F6LFVyLEIR238FOKfUdoHP5i4d+2HIzUC1ZTYXLMrmC8aLPnvQLKmO
> > lS8+EPrFz4LTTvw6Tt5oO0TH51FruLRRfp545yuT/7MOt4pf9jXjvuTrQDVTp+z2
> > 6+nZZ5rxv1mAB/d0DvCg3sS3QxnzytmzlE0WVODb9zl0HNVz2GkCAwEAAaOCAV8w
> > ggFbMAkGA1UdEwQCMAAwHQYDVR0OBBYEFD+YAO8k3NK95IXhPgriJNfICQDuMIGR
> > BgNVHSMEgYkwgYaAFLcvDVPejjtNaMC39YNvdzbHnbWZoWqkaDBmMQswCQYDVQQG
> > EwIwMDELMAkGA1UECAwCQ0gxCzAJBgNVBAcMAkRDMRAwDgYDVQQKDAd2dG9sLm1l
> > MQ8wDQYDVQQLDAZTZXJ2ZXIxGjAYBgNVBAMMEUNBIFNlcnZlciB2dG9sLm1lggIQ
> > ADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYIKwYBBQUH
> > ARgEBTADAgERMEYGA1UdHwQ/MD0wO6A5oDeGNWZpbGU6L2V0Yy9wa2kvdnRvbC5t
> > ZS9zZXJ2ZXIvaW0vY3JsL2ltX3NlcnZlci5jcmwucGVtMBsGA1UdEQQUMBKHBKwY
> > bQaCBG1haWyCBGltYXAwCgYIKoZIzj0EAwQDgYkAMIGFAkEAml53KubdaDmaiUXz
> > ir5NvZmQ8/0B9UbcSKbJq30HJYhx4gotbSYU8LuEYBzAthzHwnQ0FyHV5rZPo4Gp
> > RBEFkgJAfYk9C3w0urb6KE+e+bFXHketkG+P5aQyUw2kWKI7GikRX2mS5ZbSGNfe
> > 7Q79jSPczn3gguffxmoSW/idw5BpCw==
> > -----END CERTIFICATE-----
> > subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP
> > issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar
> > ---
> > No client certificate CA names sent
> > Peer signing digest: SHA512
> > Server Temp Key: X25519, 253 bits
> > ---
> > SSL handshake has read 2361 bytes and written 295 bytes
> > Verification error: unable to verify the first certificate
> > ---
> > New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> > Server public key is 4096 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> >     Session-ID:
> > 9636556EDC5BA951A6EE3BCAB17BCFAEEE8B380C097EC0C7F20D68BAF2775782
> >     Session-ID-ctx:
> >     Master-Key: [ obfuscated ]
> >     PSK identity: None
> >     PSK identity hint: None
> >     SRP username: None
> >     Start Time: 1532971172
> >     Timeout   : 7200 (sec)
> >     Verify return code: 21 (unable to verify the first certificate)
> >     Extended master secret: yes
> > ---
> > . OK Pre-login capabilities listed, post-login capabilities have more.
> >
> >
> 
> Missed the public certificate where the csr is generated with an EC
> private key and the [ no shared cipher ] error:
> 
> -----BEGIN CERTIFICATE-----
> MIIDmTCCAv6gAwIBAgICEAEwCgYIKoZIzj0EAwQwWTELMAkGA1UEBhMCMDAxCzAJ
> BgNVBAgMAkNIMRAwDgYDVQQKDAd2dG9sLm1lMQ8wDQYDVQQLDAZTZXJ2ZXIxGjAY
> BgNVBAMMEUlNIFNlcnZlciB2dG9sLm1lMB4XDTE4MDcyNTE0NDAxMloXDTE5MDcy
> NTE0NDAxMlowazELMAkGA1UEBhMCMDAxCzAJBgNVBAgMAkNIMQswCQYDVQQHDAJE
> QzEQMA4GA1UECgwHdnRvbC5tZTENMAsGA1UECwwEbWFpbDEhMB8GA1UEAwwYU2Vy
> dmVyIE1haWwgSW1hcCB2dG9sLm1lMIGbMBQGByqGSM49AgEGCSskAwMCCAEBDgOB
> ggAEdZAqTZhgEaAspsZWe8ss8LC2vxMP9ClHwtjKwVuTAnhJFDX5wWkaukjVw1HW
> ngwQAI2n9KwyRC3311yWKOQjrkhPw50sbK1UOuypof0fucYzo+B1+YRaae9a2vJx
> DjljXrvEcXskXdjUFdMIxUAtnHbHuyql8bMJ715ypXADUdGjggFfMIIBWzAJBgNV
> HRMEAjAAMB0GA1UdDgQWBBROPXTACC4fuaOX5iSNONpuyVAB5jCBkQYDVR0jBIGJ
> MIGGgBS3Lw1T3o47TWjAt/WDb3c2x521maFqpGgwZjELMAkGA1UEBhMCMDAxCzAJ
> BgNVBAgMAkNIMQswCQYDVQQHDAJEQzEQMA4GA1UECgwHdnRvbC5tZTEPMA0GA1UE
> CwwGU2VydmVyMRowGAYDVQQDDBFDQSBTZXJ2ZXIgdnRvbC5tZYICEAAwDgYDVR0P
> AQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBEGCCsGAQUFBwEYBAUwAwIB
> ETBGBgNVHR8EPzA9MDugOaA3hjVmaWxlOi9ldGMvcGtpL3Z0b2wubWUvc2VydmVy
> L2ltL2NybC9pbV9zZXJ2ZXIuY3JsLnBlbTAbBgNVHREEFDAShwSsGG0GggRtYWls
> ggRpbWFwMAoGCCqGSM49BAMEA4GIADCBhAJAdRE8iPNsGMCuwYQjykDeDVngTmO8
> YT3tjFh3RrwNEDewPesByTHxhU6E+s98in9cq8rqAGSH8547Cq2KC/BOywJAGNHd
> SF0PuAzqghQ7JKXqufjxKEyMMEu4H9HlH/h4lwX9hUO5EVDlCNqkcHHu9TCXBCmR
> xT/8nuAtTycVigK88A==
> -----END CERTIFICATE-----
> 
> 
>

I did some local testing and it seems that you are using a curve that is not acceptable for openssl as a server key.

I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem -port 5555

using cert generated with brainpool. Everything works if I use prime256v1 or secp521r1. This is a limitation in OpenSSL and not something we can really do anything about.

Aki Tuomi
Open-Xchange Oy


More information about the dovecot mailing list