Re: [exim] How to get ec cert used with DANE and ec+rsa cert…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] How to get ec cert used with DANE and ec+rsa certs
On Mon, Sep 07, 2020 at 06:14:37PM +0200, Axel Rau via Exim-users wrote:

> testing my TLSA setup here
>     https://www.huque.com/bin/danecheck
> fails always with the ec cert, while the rsa cert succeeds:


Are you sure you're interpreting the results correctly?

> DNS TLSA RRset:
> qname: _25._tcp.tmx3.lrau.net.
> 3 0 1 0b3eae57d593d773cf6582d5e59f26681716678fd86535fef867dec1708e45b2
> 3 0 1 de449278a5c30ab0e50a3ed89d31e6625847cd884247b40230f8c866a2d65120


Forcing RSA with TLSA 1.3 via RSA-only sigalgs shows the RSA TLSA RR
matching:

    $ openssl s_client -starttls smtp -connect tmx3.lrau.net:25 -verify 9 -brief
        -dane_tlsa_domain tmx3.lrau.net \
        -dane_tlsa_rrdata "3 0 1 de449278a5c30ab0e50a3ed89d31e6625847cd884247b40230f8c866a2d65120" \
        -dane_tlsa_rrdata "3 0 1 0b3eae57d593d773cf6582d5e59f26681716678fd86535fef867dec1708e45b2" \
        -sigalgs rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512
    verify depth is 9
    CONNECTION ESTABLISHED
    Protocol version: TLSv1.3
    Ciphersuite: TLS_AES_256_GCM_SHA384
    Peer certificate: CN = tmx3.lrau.net
    Hash used: SHA256
    Signature type: RSA-PSS
    Verification: OK
    Verified peername: tmx3.lrau.net
    DANE TLSA 3 0 1 ...4247b40230f8c866a2d65120 matched EE certificate at depth 0
    Server Temp Key: X25519, 253 bits
    250 HELP
    quit
    221 tmx3.lrau.net closing connection


Forcing ECDSA with TLSA 1.3 via RSA-only sigalgs shows the ECDSA TLSA RR
matching:

    $ openssl s_client -starttls smtp -connect tmx3.lrau.net:25 -verify 9 -brief \
        -dane_tlsa_domain tmx3.lrau.net \
        -dane_tlsa_rrdata "3 0 1 de449278a5c30ab0e50a3ed89d31e6625847cd884247b40230f8c866a2d65120" \
        -dane_tlsa_rrdata "3 0 1 0b3eae57d593d773cf6582d5e59f26681716678fd86535fef867dec1708e45b2" \
        -sigalgs ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512
    verify depth is 9
    CONNECTION ESTABLISHED
    Protocol version: TLSv1.3
    Ciphersuite: TLS_AES_256_GCM_SHA384
    Peer certificate: CN = tmx3.lrau.net
    Hash used: SHA384
    Signature type: ECDSA
    Verification: OK
    Verified peername: tmx3.lrau.net
    DANE TLSA 3 0 1 ...d86535fef867dec1708e45b2 matched EE certificate at depth 0
    Server Temp Key: X25519, 253 bits
    250 HELP
    quit
    221 tmx3.lrau.net closing connection


> ## Checking tmx3.lrau.net 2a05:bec0:26:18::91 port 25
> DANE TLSA 3 0 1 [0b3eae57..]: FAIL did not match EE certificate
> DANE TLSA 3 0 1 [de449278..]: OK matched EE certificate


Presumably because only RSA was negotiated (mind you in my tests I get
ECDSA by default, and have to go out of my way to get RSA, but that does
not matter so much).

> I tried without tls_require_ciphers or with
>     tls_require_ciphers = ECDSA:RSA:HIGH:!MD5:!SHA1:!COMPLEMENTOFDEFAULT
> but all fails.


These ciphers have no effect on TLS 1.3, which uses a completely
different cipher selection mechanism.

However, enabling multiple algorithms is an advanced use-case, you're
probably better off with just RSA for now. See:

    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html


-- 
    Viktor.