On Wed, Sep 28, 2022 at 07:22:37PM +0200, Lists Nethead wrote:
> > Your server defaults to an ECDSA P-384 certificate, the client may not
> > support ECDSA at all, or may not support P-384 (P-256 is a more broadly
> > supported choice):
> >
> > $ posttls-finger -c -lmay -Lsummary "[nh1.nethead.se]"
> > posttls-finger: Untrusted TLS connection established
> > to nh1.nethead.se[5.150.237.137]:25:
> > TLSv1.3 with
> > cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> > key-exchange X25519
> > server-signature ECDSA (P-384)
> > server-digest SHA384
> >
> > There appears to be no additional RSA certificate configured:
> >
> > $ posttls-finger -p TLSv1.2 -o tls_medium_cipherlist="aRSA" -c
> > -lmay -Lsummary "[nh1.nethead.se]"
> > posttls-finger: SSL_connect error to nh1.nethead.se[5.150.237.137]:25:
> > -1
> > posttls-finger: warning: TLS library problem: error:14094410:SSL
> > routines:ssl3_read_bytes:sslv3 alert handshake
> > failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40:
> >
> > $ posttls-finger -p TLSv1.2 -o tls_medium_cipherlist="aECDSA" -c
> > -lmay -Lsummary "[nh1.nethead.se]"
> > posttls-finger: Untrusted TLS connection established to
> > nh1.nethead.se[5.150.237.137]:25: TLSv1.2 with cipher
> > ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
> >
> > Your choice of private key (ECDSA P-384) is likely the problem.
>
> Thanks Viktor, that is exactly where my suspicions laid. Now on to fix it.
You should have at least an RSA certificate (2048-bit key, not more),
and only if you're feeling particularly expert also an ECDSA certificate
(P-256 is plenty strong, not P-384 or P-521).
--
Viktor.
