Sunday, 26 August 2018

Postfix with ECDSA certificate not connecting

I was playing with this a while back and it didn't work and got forgotten about but this time I dug into it further.

There are lots of guides for setting this up such as

https://zhadum.org.uk/2015/07/25/ssl-certificate-agility-with-postfix/

but this did not work for me.  Using

openssl s_client -cipher ECDHE-ECDSA-AES128-SHA -connect localhost:25 -starttls smtp

CONNECTED(00000003)
1995830688:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent

failed and said it had no presented no cert.

After looking at my cert file I noticed:

 openssl x509 -text -noout
-----BEGIN CERTIFICATE-----
MIID9zCCA5ygAwIBAgIQJDK88IzKKF3Cva9HhMswejAKBggqhkjOPQQDAjCBkDEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMT

...

        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:24:64:3c:45:da:96:fe:eb:cd:0b:4c:9b:da:4f:
                    db:dd:0d:fa:e9:14:54:67:96:3e:81:3f:55:b8:1d:
                    36:0a:db:c7:a8:be:32:a2:5d:59:4c:dd:c6:11:78:
                    a4:cd:6b:12:c4:0d:76:af:6e:ef:8e:b5:78:4a:ae:
                    94:5a:90:ac:21:04:6a:f1:f2:6e:2e:8d:87:d8:46:
                    a3:54:f3:7e:f0:08:8e:81:3b:1c:0a:1d:ff:b8:a7:
                    fd:db:91:3a:b6:0b:48
                ASN1 OID: secp384r1
                NIST CURVE: P-384



from the postfix page

    smtpd_tls_eecdh_grade = strong | ultra
    # Underlying curves, best not changed:
    # tls_eecdh_strong_curve = prime256v1
    # tls_eecdh_ultra_curve = secp384r1

In my version 3.1 it defaults to strong

postconf -d | grep smtpd_tls_eecdh_grade
smtpd_tls_eecdh_grade = strong

but needs to be set to ultra to support sec384r1 which the cert was issued with. So adding the line

smtpd_tls_eecdh_grade = ultra

to main.cf made the cert work.

None of the other articles I have seen mention this so maybe it's not that common.


Gentoo grub-probe not working

 I have a bunch of history commands I run when I d a new kernel etc and one stopped working. grub-mkconfig would fail with grub-probe for /....