[exim] How to get ec cert used with DANE and ec+rsa certs

Axel Rau via Exim-users Mon, 07 Sep 2020 09:23:11 -0700

Hi all,

testing my TLSA setup here
        https://www.huque.com/bin/danecheck
fails always with the ec cert, while the rsa cert succeeds:
DNS TLSA RRset:
  qname: _25._tcp.tmx3.lrau.net.
  3 0 1 0b3eae57d593d773cf6582d5e59f26681716678fd86535fef867dec1708e45b2
  3 0 1 de449278a5c30ab0e50a3ed89d31e6625847cd884247b40230f8c866a2d65120
IP Addresses found:
  2a05:bec0:26:18::91
  91.216.35.191


## Checking tmx3.lrau.net 2a05:bec0:26:18::91 port 25
DANE TLSA 3 0 1 [0b3eae57..]: FAIL did not match EE certificate
DANE TLSA 3 0 1 [de449278..]: OK matched EE certificate

I have verified the TLSA hash of the ec cert here
        https://www.huque.com/bin/gen_tlsa

I tried without tls_require_ciphers or with
        tls_require_ciphers = ECDSA:RSA:HIGH:!MD5:!SHA1:!COMPLEMENTOFDEFAULT
but all fails.

Axel

PS:
tls_certificate =   /usr/local/etc/exim/tmx3.lrau.net_server_ec_cert_cacert.pem 
: \
                    /usr/local/etc/exim/tmx3.lrau.net_server_cert_cacert.pem
tls_privatekey =    /usr/local/etc/exim/tmx3.lrau.net_server_ec_key.pem : \
                    /usr/local/etc/exim/tmx3.lrau.net_server_key.pem

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

signature.asc
Description: Message signed with OpenPGP

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] How to get ec cert used with DANE and ec+rsa certs

Reply via email to