[exim] How to get ec cert used with DANE and ec+rsa certs

Top Page
Delete this message
Reply to this message
Author: Axel Rau
Date:  
To: Exim-users
Subject: [exim] How to get ec cert used with DANE and ec+rsa certs
Hi all,

testing my TLSA setup here
    https://www.huque.com/bin/danecheck
fails always with the ec cert, while the rsa cert succeeds:
DNS TLSA RRset:
  qname: _25._tcp.tmx3.lrau.net.
  3 0 1 0b3eae57d593d773cf6582d5e59f26681716678fd86535fef867dec1708e45b2
  3 0 1 de449278a5c30ab0e50a3ed89d31e6625847cd884247b40230f8c866a2d65120
IP Addresses found:
  2a05:bec0:26:18::91
  91.216.35.191


## Checking tmx3.lrau.net 2a05:bec0:26:18::91 port 25
DANE TLSA 3 0 1 [0b3eae57..]: FAIL did not match EE certificate
DANE TLSA 3 0 1 [de449278..]: OK matched EE certificate

I have verified the TLSA hash of the ec cert here
    https://www.huque.com/bin/gen_tlsa


I tried without tls_require_ciphers or with
    tls_require_ciphers = ECDSA:RSA:HIGH:!MD5:!SHA1:!COMPLEMENTOFDEFAULT
but all fails.


Axel

PS:
tls_certificate =   /usr/local/etc/exim/tmx3.lrau.net_server_ec_cert_cacert.pem : \
                    /usr/local/etc/exim/tmx3.lrau.net_server_cert_cacert.pem
tls_privatekey =    /usr/local/etc/exim/tmx3.lrau.net_server_ec_key.pem : \
                    /usr/local/etc/exim/tmx3.lrau.net_server_key.pem


---
PGP-Key: CDE74120 ☀ computing @ chaos claudius