On 11/19/2016 06:07 PM, Jeremy Harris wrote:
> The main-config option tls_certificates specifies
> "a file which contains the server’s certificates".
>
> Plural.
>
> What happens when you try it?
It will be used the first cert in the new-double chain and only the
ECDSA Ciphers are visible which match with the first cert.
To see the available ciphers up to openssl 1.0.2 i use:
https://github.com/mozilla/cipherscan
I actually used this sample-machine:
cipherscan -starttls smtp torf.tributh.net:25
....
Target: torf.tributh.net:25
prio ciphersuite protocols
pfs curves
1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2
ECDH,P-256,256bits server
2 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2
ECDH,P-256,256bits server
3 ECDHE-ECDSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2
ECDH,P-256,256bits server
Certificate: trusted, 384 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
NPN protocols: None
OCSP stapling: supported
Cipher ordering: server
Curves ordering: none - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
--
Torsten
