Re: TLS errors with GMX/web.de

Tue, 20 Aug 2013 04:28:11 -0700 

* DTNX Postmaster <postmas...@dtnx.net> [2013-08-20 12:57]:
> Self-signed, 2048 bits certificate from our own root. Picks the same cipher 
> and TLS version as in Heiko's example, it seems. Perhaps it's your 
> certificate, perhaps your Postfix settings? No odd overrides for the defaults 
> anywhere, forced cipher suites or anything?
> 
> Aside from the certificate and key, these are our only non-default settings;

I found the problem... In addition to my normal certificate, I had an
EC certificate.

smtpd_tls_eccert_file=/etc/postfix/certs/cacert-karotte-ec.crt

As soon as I removed that line it started working...

Noone else had a problem with that certificate. For completeness here
is the cert output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 133035 (0x207ab)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Validity
            Not Before: Aug 13 11:39:24 2013 GMT
            Not After : Aug 13 11:39:24 2015 GMT
        Subject: CN=*.karotte.org
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:6d:69:d6:06:1f:7c:b2:8d:2b:6b:a5:0e:d9:8f:
                    c9:6c:cf:ad:32:3d:35:3b:82:a6:58:ea:38:66:ae:
                    3d:43:ac:b0:cd:41:28:c6:7a:f7:3f:da:cf:50:be:
                    93:a5:90:30:cb:98:9c:b7:a1:07:93:39:bf:32:7f:
                    01:9c:59:04:8a:7d:fc:72:e9:78:a9:e5:22:e7:22:
                    5d:b5:80:bf:77:e1:be:65:3d:ce:10:c4:f3:5c:52:
                    73:aa:80:56:81:02:29
                ASN1 OID: secp384r1
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication, 
Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access: 
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name: 
                DNS:*.karotte.org, othername:<unsupported>, DNS:karotte.org, 
othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
         04:ca:17:b7:09:b5:00:e0:9f:ac:9b:25:9f:4b:78:d9:fb:a5:
         ...

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

Reply via email to