Re: [exim] How to get ec cert used with DANE and ec+rsa certs

[Viktor Dukhovni via Exim-users]

On Mon, Sep 07, 2020 at 06:14:37PM +0200, Axel Rau via Exim-users wrote:

> testing my TLSA setup here
>       https://www.huque.com/bin/danecheck
> fails always with the ec cert, while the rsa cert succeeds:

Are you sure you're interpreting the results correctly?

> DNS TLSA RRset:
>   qname: _25._tcp.tmx3.lrau.net.
>   3 0 1 0b3eae57d593d773cf6582d5e59f26681716678fd86535fef867dec1708e45b2
>   3 0 1 de449278a5c30ab0e50a3ed89d31e6625847cd884247b40230f8c866a2d65120

Forcing RSA with TLSA 1.3 via RSA-only sigalgs shows the RSA TLSA RR
matching:

    $ openssl s_client -starttls smtp -connect tmx3.lrau.net:25 -verify 9 -brief
        -dane_tlsa_domain tmx3.lrau.net \
        -dane_tlsa_rrdata "3 0 1 
de449278a5c30ab0e50a3ed89d31e6625847cd884247b40230f8c866a2d65120" \
        -dane_tlsa_rrdata "3 0 1 
0b3eae57d593d773cf6582d5e59f26681716678fd86535fef867dec1708e45b2" \
        -sigalgs 
rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512
    verify depth is 9
    CONNECTION ESTABLISHED
    Protocol version: TLSv1.3
    Ciphersuite: TLS_AES_256_GCM_SHA384
    Peer certificate: CN = tmx3.lrau.net
    Hash used: SHA256
    Signature type: RSA-PSS
    Verification: OK
    Verified peername: tmx3.lrau.net
    DANE TLSA 3 0 1 ...4247b40230f8c866a2d65120 matched EE certificate at depth 0
    Server Temp Key: X25519, 253 bits
    250 HELP
    quit
    221 tmx3.lrau.net closing connection

Forcing ECDSA with TLSA 1.3 via RSA-only sigalgs shows the ECDSA TLSA RR
matching:

    $ openssl s_client -starttls smtp -connect tmx3.lrau.net:25 -verify 9 
-brief \
        -dane_tlsa_domain tmx3.lrau.net \
        -dane_tlsa_rrdata "3 0 1 
de449278a5c30ab0e50a3ed89d31e6625847cd884247b40230f8c866a2d65120" \
        -dane_tlsa_rrdata "3 0 1 
0b3eae57d593d773cf6582d5e59f26681716678fd86535fef867dec1708e45b2" \
        -sigalgs 
ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512
    verify depth is 9
    CONNECTION ESTABLISHED
    Protocol version: TLSv1.3
    Ciphersuite: TLS_AES_256_GCM_SHA384
    Peer certificate: CN = tmx3.lrau.net
    Hash used: SHA384
    Signature type: ECDSA
    Verification: OK
    Verified peername: tmx3.lrau.net
    DANE TLSA 3 0 1 ...d86535fef867dec1708e45b2 matched EE certificate at depth 0
    Server Temp Key: X25519, 253 bits
    250 HELP
    quit
    221 tmx3.lrau.net closing connection

> ## Checking tmx3.lrau.net 2a05:bec0:26:18::91 port 25
> DANE TLSA 3 0 1 [0b3eae57..]: FAIL did not match EE certificate
> DANE TLSA 3 0 1 [de449278..]: OK matched EE certificate

Presumably because only RSA was negotiated (mind you in my tests I get
ECDSA by default, and have to go out of my way to get RSA, but that does
not matter so much).

> I tried without tls_require_ciphers or with
>       tls_require_ciphers = ECDSA:RSA:HIGH:!MD5:!SHA1:!COMPLEMENTOFDEFAULT
> but all fails.

These ciphers have no effect on TLS 1.3, which uses a completely
different cipher selection mechanism.

However, enabling multiple algorithms is an advanced use-case, you're
probably better off with just RSA for now.  See:

    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html

-- 
    Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/