Sunday, 26 August 2018

Postfix with ECDSA certificate not connecting

I was playing with this a while back and it didn't work and got forgotten about but this time I dug into it further.

There are lots of guides for setting this up such as

https://zhadum.org.uk/2015/07/25/ssl-certificate-agility-with-postfix/

but this did not work for me.  Using

openssl s_client -cipher ECDHE-ECDSA-AES128-SHA -connect localhost:25 -starttls smtp

CONNECTED(00000003)
1995830688:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent

failed and said it had no presented no cert.

After looking at my cert file I noticed:

 openssl x509 -text -noout
-----BEGIN CERTIFICATE-----
MIID9zCCA5ygAwIBAgIQJDK88IzKKF3Cva9HhMswejAKBggqhkjOPQQDAjCBkDEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMT

...

        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:24:64:3c:45:da:96:fe:eb:cd:0b:4c:9b:da:4f:
                    db:dd:0d:fa:e9:14:54:67:96:3e:81:3f:55:b8:1d:
                    36:0a:db:c7:a8:be:32:a2:5d:59:4c:dd:c6:11:78:
                    a4:cd:6b:12:c4:0d:76:af:6e:ef:8e:b5:78:4a:ae:
                    94:5a:90:ac:21:04:6a:f1:f2:6e:2e:8d:87:d8:46:
                    a3:54:f3:7e:f0:08:8e:81:3b:1c:0a:1d:ff:b8:a7:
                    fd:db:91:3a:b6:0b:48
                ASN1 OID: secp384r1
                NIST CURVE: P-384



from the postfix page

    smtpd_tls_eecdh_grade = strong | ultra
    # Underlying curves, best not changed:
    # tls_eecdh_strong_curve = prime256v1
    # tls_eecdh_ultra_curve = secp384r1

In my version 3.1 it defaults to strong

postconf -d | grep smtpd_tls_eecdh_grade
smtpd_tls_eecdh_grade = strong

but needs to be set to ultra to support sec384r1 which the cert was issued with. So adding the line

smtpd_tls_eecdh_grade = ultra

to main.cf made the cert work.

None of the other articles I have seen mention this so maybe it's not that common.


1 comment:

Unknown said...

Did you hear there's a 12 word phrase you can communicate to your crush... that will trigger intense emotions of love and instinctual appeal to you deep within his chest?

Because deep inside these 12 words is a "secret signal" that triggers a man's instinct to love, please and protect you with all his heart...

12 Words That Trigger A Man's Love Instinct

This instinct is so built-in to a man's brain that it will drive him to work better than ever before to to be the best lover he can be.

Matter of fact, fueling this all-powerful instinct is absolutely important to having the best possible relationship with your man that the instance you send your man a "Secret Signal"...

...You will soon notice him open his mind and soul for you in such a way he's never experienced before and he will identify you as the one and only woman in the world who has ever truly appealed to him.

Gentoo grub-probe not working

 I have a bunch of history commands I run when I d a new kernel etc and one stopped working. grub-mkconfig would fail with grub-probe for /....