>>>>>> facing [ no shared cipher ] error with EC private keys. >>>>> the client connecting to your instance has to support ecdsa >>>>> >>>>> >>>> It does - Thunderbird 60.0b10 (64-bit) >>>> >>>> [ security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384;true ] >>>> >>>> It seems there is a difference between the private key (rsa vs. ecc -> >>>> SSL_CTX?) used for the certificate signing request and the signed >>>> certificate. >>>> >>>> The csr created from a private key with [ openssl genpkey -algorithm RSA >>>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. >>>> >>>> But as stated in the initial message it does not work if the private key >>>> for the csr is generated with [ openssl ecparam -name brainpoolP512t1 >>>> -genkey ]. >>>> >>>> >>> Can you try, with your ECC cert, >>> >>> openssl s_client -connect server:143 -starttls imap >>> >>> and paste result? >>> >> This is for the certificate where the csr is generated with an EC >> private key and the [ no shared cipher ] error: >> >> CONNECTED(00000003) >> write:errno=0 >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 309 bytes and written 202 bytes >> Verification: OK >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : 0000 >> Session-ID: >> Session-ID-ctx: >> Master-Key: >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1532969474 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> Extended master secret: no >> >> --- >> >> and this for the certificate where the csr is generated with a RSA >> private key: >> >> CONNECTED(00000003) >> depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server >> foo.bar Mail IMAP >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server >> foo.bar Mail IMAP >> verify error:num=21:unable to verify the first certificate >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP >> i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> [ truncated ] >> -----END CERTIFICATE----- >> subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP >> issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar >> --- >> No client certificate CA names sent >> Peer signing digest: SHA512 >> Server Temp Key: X25519, 253 bits >> --- >> SSL handshake has read 2361 bytes and written 295 bytes >> Verification error: unable to verify the first certificate >> --- >> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 >> Server public key is 4096 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : ECDHE-RSA-AES256-GCM-SHA384 >> Session-ID: >> C23E6478F4C6372F2A524504031B32EDC9FDCAA343AE5017A09E47C5E7B60DD6 >> Session-ID-ctx: >> Master-Key: [ obfuscated ] >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1532969755 >> Timeout : 7200 (sec) >> Verify return code: 21 (unable to verify the first certificate) >> Extended master secret: yes >> --- >> . OK Pre-login capabilities listed, post-login capabilities have more. >> >> >> > Can you configure ssl_cipher_list = ALL and try again? Also, can you send the > *PUBLIC* part of the certificate? >
[ ssl_cipher_list = ALL ] set/applied This is for the certificate where the csr is generated with an EC private key and the [ no shared cipher ] error: CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 309 bytes and written 202 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1532970888 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- and this for the certificate where the csr is generated with a RSA private key: CONNECTED(00000003) depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server foo.bar Mail IMAP verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = 00, ST = CH, L = DC, O = foo.bar, OU = mail, CN = Server foo.bar Mail IMAP verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP i:/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar --- Server certificate -----BEGIN CERTIFICATE----- MIIFIjCCBIagAwIBAgICEAYwCgYIKoZIzj0EAwQwWTELMAkGA1UEBhMCMDAxCzAJ BgNVBAgMAkNIMRAwDgYDVQQKDAd2dG9sLm1lMQ8wDQYDVQQLDAZTZXJ2ZXIxGjAY BgNVBAMMEUlNIFNlcnZlciB2dG9sLm1lMB4XDTE4MDczMDExMTE1NloXDTE5MDcz MDExMTE1NlowazELMAkGA1UEBhMCMDAxCzAJBgNVBAgMAkNIMQswCQYDVQQHDAJE QzEQMA4GA1UECgwHdnRvbC5tZTENMAsGA1UECwwEbWFpbDEhMB8GA1UEAwwYU2Vy dmVyIHZ0b2wubWUgTWFpbCBJTUFQMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAx3Rr6Goz0xHmRGwTC5XWvTYLLXli9nhaSqpfSXSBNembIpAJMQxeZKS5 T1VI1Kufp5HIpBFAXKo/yAMNS4E+LtctX2ITsZD1sUJw20J7TJtDR6mX7qiNJTlT FXHx5VZWLp2Jv3Wlw85iNUoRcIY2IB3Q9KACTPlMl8Be9BPYAevgyqh5d67LFgwf 77Soq4ppa0sLxTUf1Lyh9lvpIRdDnDhs749PlLrgWIagra2ONdesOlwMOANjn5+8 sKnooVlwsygDEIu2QWYeAJO43GWFMiMtb4sAii52fwbwzLNOA/jF1EDz2zbimBMc Tcy430CucN7wYQQa8KVU/EdaYXsDRFLPfyvkFw/1GKOm4MzCBNUp3soqMgFCNWix HwGw82hzMadXqKHwosSoDa291hpboxppYwqohG4rlbLNXZKINTrIYgh4EldI3HGy YhikuVVODa254DLoj/iS2A7ZWpvDGGqirEMEZEJi9pdO3E5CUctiZFe0zrKk6xX7 VfQq+wZzN2F6LFVyLEIR238FOKfUdoHP5i4d+2HIzUC1ZTYXLMrmC8aLPnvQLKmO lS8+EPrFz4LTTvw6Tt5oO0TH51FruLRRfp545yuT/7MOt4pf9jXjvuTrQDVTp+z2 6+nZZ5rxv1mAB/d0DvCg3sS3QxnzytmzlE0WVODb9zl0HNVz2GkCAwEAAaOCAV8w ggFbMAkGA1UdEwQCMAAwHQYDVR0OBBYEFD+YAO8k3NK95IXhPgriJNfICQDuMIGR BgNVHSMEgYkwgYaAFLcvDVPejjtNaMC39YNvdzbHnbWZoWqkaDBmMQswCQYDVQQG EwIwMDELMAkGA1UECAwCQ0gxCzAJBgNVBAcMAkRDMRAwDgYDVQQKDAd2dG9sLm1l MQ8wDQYDVQQLDAZTZXJ2ZXIxGjAYBgNVBAMMEUNBIFNlcnZlciB2dG9sLm1lggIQ ADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYIKwYBBQUH ARgEBTADAgERMEYGA1UdHwQ/MD0wO6A5oDeGNWZpbGU6L2V0Yy9wa2kvdnRvbC5t ZS9zZXJ2ZXIvaW0vY3JsL2ltX3NlcnZlci5jcmwucGVtMBsGA1UdEQQUMBKHBKwY bQaCBG1haWyCBGltYXAwCgYIKoZIzj0EAwQDgYkAMIGFAkEAml53KubdaDmaiUXz ir5NvZmQ8/0B9UbcSKbJq30HJYhx4gotbSYU8LuEYBzAthzHwnQ0FyHV5rZPo4Gp RBEFkgJAfYk9C3w0urb6KE+e+bFXHketkG+P5aQyUw2kWKI7GikRX2mS5ZbSGNfe 7Q79jSPczn3gguffxmoSW/idw5BpCw== -----END CERTIFICATE----- subject=/C=00/ST=CH/L=DC/O=foo.bar/OU=mail/CN=Server foo.bar Mail IMAP issuer=/C=00/ST=CH/O=foo.bar/OU=Server/CN=IM Server foo.bar --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2361 bytes and written 295 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 9636556EDC5BA951A6EE3BCAB17BCFAEEE8B380C097EC0C7F20D68BAF2775782 Session-ID-ctx: Master-Key: [ obfuscated ] PSK identity: None PSK identity hint: None SRP username: None Start Time: 1532971172 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes --- . OK Pre-login capabilities listed, post-login capabilities have more.