> On 30 July 2018 at 20:01 ѽ҉ᶬḳ℠ <[email protected]> wrote: > > > > >>>> facing [ no shared cipher ] error with EC private keys. > >>> the client connecting to your instance has to support ecdsa > >>> > >>> > >> It does - Thunderbird 60.0b10 (64-bit) > >> > >> [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ] > >> > >> It seems there is a difference between the private key (rsa vs. ecc -> > >> SSL_CTX?) used for the certificate signing request and the signed > >> certificate. > >> > >> The csr created from a private key with [ openssl genpkey -algorithm RSA > >> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. > >> > >> But as stated in the initial message it does not work if the private key > >> for the csr is generated with [ openssl ecparam -name brainpoolP512t1 > >> -genkey ]. > >> > >> > > Can you try, with your ECC cert, > > > > openssl s_client -connect server:143 -starttls imap > > > > and paste result? > > > > This is for the certificate where the csr is generated with an EC > private key and the [ no shared cipher ] error: > > CONNECTED(00000003) > write:errno=0 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 309 bytes and written 202 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1532969474 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > > --- > > and this for the certificate where the csr is generated with a RSA > private key: > > CONNECTED(00000003) > depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server > foo.bar Mail IMAP > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server > foo.bar Mail IMAP > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP > i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar > --- > Server certificate > -----BEGIN CERTIFICATE----- > [ truncated ] > -----END CERTIFICATE----- > subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP > issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar > --- > No client certificate CA names sent > Peer signing digest: SHA512 > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 2361 bytes and written 295 bytes > Verification error: unable to verify the first certificate > --- > New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > C23E6478F4C6372F2A524504031B32EDC9FDCAA343AE5017A09E47C5E7B60DD6 > Session-ID-ctx: > Master-Key: [ obfuscated ] > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1532969755 > Timeout : 7200 (sec) > Verify return code: 21 (unable to verify the first certificate) > Extended master secret: yes > --- > . OK Pre-login capabilities listed, post-login capabilities have more. > > >
Can you configure ssl_cipher_list = ALL and try again? Also, can you send the *PUBLIC* part of the certificate? Aki
