Quoting Viktor Dukhovni <postfix-us...@dukhovni.org>:
On Wed, Sep 28, 2022 at 07:22:37PM +0200, Lists Nethead wrote:
> Your server defaults to an ECDSA P-384 certificate, the client may not
> support ECDSA at all, or may not support P-384 (P-256 is a more broadly
> supported choice):
>
> $ posttls-finger -c -lmay -Lsummary "[nh1.nethead.se]"
> posttls-finger: Untrusted TLS connection established
> to nh1.nethead.se[5.150.237.137]:25:
> TLSv1.3 with
> cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> key-exchange X25519
> server-signature ECDSA (P-384)
> server-digest SHA384
>
> There appears to be no additional RSA certificate configured:
>
> $ posttls-finger -p TLSv1.2 -o tls_medium_cipherlist="aRSA" -c
> -lmay -Lsummary "[nh1.nethead.se]"
> posttls-finger: SSL_connect error to
nh1.nethead.se[5.150.237.137]:25: -1
> posttls-finger: warning: TLS library problem: error:14094410:SSL
> routines:ssl3_read_bytes:sslv3 alert handshake
> failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40:
>
> $ posttls-finger -p TLSv1.2 -o tls_medium_cipherlist="aECDSA" -c
> -lmay -Lsummary "[nh1.nethead.se]"
> posttls-finger: Untrusted TLS connection established to
> nh1.nethead.se[5.150.237.137]:25: TLSv1.2 with cipher
> ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
>
> Your choice of private key (ECDSA P-384) is likely the problem.
Thanks Viktor, that is exactly where my suspicions laid. Now on to fix it.
You should have at least an RSA certificate (2048-bit key, not more),
and only if you're feeling particularly expert also an ECDSA certificate
(P-256 is plenty strong, not P-384 or P-521).
Yes agree, on my way there now.
