On Wed, Dec 17, 2025 at 04:49:01PM +0000, Slavko wrote:
> Dňa 17. decembra 2025 14:17:43 UTC používateľ Viktor Dukhovni via mailop
> <[email protected]> napísal:
>
> >When a client offers support for both, your server likely chooses ECDSA
> >over RSA, but you should be able to change their relative preference and
> >still offer both RSA and EC certs. Though in that case you'd very rarely
> >negotiate ECDSA, since very few clients will support only ECDSA, and
> >your server will always choose RSA when the client supports both.
>
> But then it is client's problem, if it offers support for both and then
> doesn't accept ECC one. Or i am wrong?
Yes, the client may be at fault, though perhaps somewhat indirectly, as
it might support ECC generally, but lack the associated ECC root CA in
its CA trust store. And its (also unwise) policy might simply be to
require a trusted certificates (even absent MTA-STS or similar good
reason to expect a validatable trust chain).
If the root CA of Ralf's ECC chain has a fallback cross-certificate from
a more widely trusted RSA root, it might be wise to include that in the
server's certchain file, this may be sufficient to get the ECC chain to
work for the problem senders.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
