Am 21.10.2013 23:04, schrieb Viktor Dukhovni: > On Mon, Oct 21, 2013 at 09:43:50PM +0200, li...@rhsoft.net wrote: > >> postfix/smtp[7411]: warning: TLS library problem: >> 7411:error:100AE081:elliptic curve >> routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316 >> >> maybe relevant to "only ECC NIST Suite B curves support"? >> postfix was compiled against exactly this openssl build >> as far as i can see fallback to unecrypted connection >> >> http://koji.fedoraproject.org/koji/buildinfo?buildID=471781 >> * Wed Oct 16 2013 Tom?? Mr?z <tm...@redhat.com> 1.0.1e-28 >> - only ECC NIST Suite B curves support >> - drop -fips subpackage >> >> * Mon Oct 14 2013 Tom Callaway <s...@fedoraproject.org> >> - 1.0.1e-27 >> - resolve bugzilla 319901 (phew! only took 6 years & 9 days) > > Until recently, there was no ECC support in RedHat (and Fedora) > OpenSSL packages. It seems that a few weeks ago they finally > enabled ECC, but could not resist the urge to cripple it a bit. :-)
looks so > Instead of improving the world by finally supporting EC, they've > made things worse! Previously clients negotiated something other > than EECDH key exchange, now they negotiate it and fail! Sorry to > say so, but the RedHat engineers need adult supervision. since you sound very knowledgeable about SSL may you consider to make a comment there? https://bugzilla.redhat.com/show_bug.cgi?id=1019251 fine: http://koji.fedoraproject.org/koji/buildinfo?buildID=471397 crippled: http://koji.fedoraproject.org/koji/buildinfo?buildID=471781 with the first build no single error > What site was your SMTP client connecting to? IIRC Suite B supports > prime256v1 (aka secp256r1) and secp384r1. Perhaps the SMTP server > decided to live on the bleeding edge with "secp521r1" as far as i can see in all 8 cases currently to GMX Oct 21 22:29:22 mail postfix/smtp[12289]: SSL_connect error to mx00.gmx.net[213.165.67.99]:25: -1 Oct 21 22:29:22 mail postfix/smtp[12289]: warning: TLS library problem: 12289:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 22:29:22 mail postfix/smtp[12289]: warning: TLS library problem: 12289:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641: Oct 21 22:29:22 mail postfix/smtp[12289]: 3d3Tvy5Cdsz23: Cannot start TLS: handshake failure
