> On Jun 9, 2020, at 7:22 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > This predates support for automatic negotiated EC curve selection > in OpenSSL, and is now just a bad idea. The default "auto" setting > is the only correct one to use. That said, how this breaks loading > of RSA certificate chains is rather a deep mystery I shall pursue > with the OpenSSL team.
Turns out the problem is that my SNI code in Postfix did not expect to be called twice for the same connection as happens with TLS 1.3 HRR (hello retry requests) when the client's key share guess does not match the server's supported signature algorithms (e.g. only P384 with "smtpd_tls_eecdh_grade = ultra"). Git commit at: https://github.com/vdukhovni/postfix/commit/851b525c5c09405c48b8cd697d14cb0d2edbb68b Raw patch: https://github.com/vdukhovni/postfix/commit/851b525c5c09405c48b8cd697d14cb0d2edbb68b.patch This applies to Postfix 3.4, 3.5 and 3.6 snapshots. -- Viktor.
