postfix SSL 例程:SSL3_GET_KEY_EXCHANGE:无法找到 ecdh 参数

postfix SSL 例程:SSL3_GET_KEY_EXCHANGE:无法找到 ecdh 参数

最近,当我们的 postfix MTA 尝试通过 TLS 加密连接时,出现了这个错误:

 postfix/smtp[20716]: warning: TLS library problem: 20716:error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters:s3_clnt.c:1336:

远程站点的证书如下所示(序列号、主题和密钥被操纵/替换):

  openssl x509 -noout -text -in cert.cer -inform der

Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
    Validity
        Not Before: Dec 01 00:00:00 2016 GMT
        Not After : Dec 01 00:00:00 2019 GMT
    Subject: C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (2048 bit)
            Modulus (2048 bit):
                00:b7:6b:35:b6:f7:42:84:ed:b3:e7:82:94:e2:84:
                f5:92:6b:16:f6:87:65:b7:fb:e4:eb:9b:59:37:45:
                53:9d:6f:41:94:2d:1b:17:d2:8f:f8:ce:6e:88:9b:
                79:f5:93:3b:77:de:cb:19:b4:3e:d4:49:29:5f:80:
                7b:6b:10:30:e9:b3:6f:bb:5e:9f:93:b5:f3:89:f7:
                09:31:25:80:6b:89:0e:16:69:84:49:42:4f:c9:b8:
                d7:8d:36:2e:c2:b4:d1:57:6e:fd:4d:54:b1:0e:42:
                b7:c9:fd:92:be:eb:e4:bd:85:20:fb:48:4b:c4:5c:
                ee:e2:15:96:29:e8:0b:18:0d:39:e7:91:b8:92:9f:
                b5:0e:6d:8f:91:50:90:98:d1:b0:44:8d:99:b8:51:
                63:6b:7d:3f:30:b4:11:e9:99:b5:98:7b:3d:7d:e8:
                30:4b:80:c3:11:56:b0:fb:7c:6b:74:79:1b:37:4f:
                15:81:79:29:e9:cf:be:b9:0f:d1:1b:6f:7d:67:db:
                7e:c4:35:14:18:e6:6e:e1:ec:98:76:9c:78:60:61:
                08:4f:9b:4b:bb:14:f7:bd:2b:bb:f3:2b:ed:41:37:
                2c:5d:13:83:0e:0b:3b:18:13:3d:8b:dd:9b:bb:5d:
                64:5c:b4:47:93:df:6b:bb:81:b7:fb:f5:6d:82:86:
                6e:bb
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Authority Key Identifier:
            keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2

        X509v3 Subject Key Identifier:
            4C:94:CA:33:70:FB:3E:6B:E7:34:24:CC:53:92:64:12:20:B9:8E:65
        X509v3 Subject Alternative Name:
            DNS:XX, DNS:XX, DNS:XX, DNS:XX
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage:
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 CRL Distribution Points:
            URI:http://crl3.digicert.com/ssca-sha2-g5.crl
            URI:http://crl4.digicert.com/ssca-sha2-g5.crl

        X509v3 Certificate Policies:
            Policy: 2.16.840.1.114412.1.1
              CPS: https://www.digicert.com/CPS
            Policy: 2.23.140.1.2.2

        Authority Information Access:
            OCSP - URI:http://ocsp.digicert.com
            CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

        X509v3 Basic Constraints: critical
            CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
    27:be:23:6c:21:9f:eb:44:52:3b:cc:0f:b0:b4:52:40:b6:1c:
    91:ef:87:c6:44:98:8b:7c:e9:3b:db:15:d0:11:26:cb:02:8e:
    e6:e6:eb:fb:89:3c:fd:56:fb:00:cb:e5:32:56:96:92:7e:11:
    3b:bb:52:66:f0:d5:58:b8:c9:83:e4:bf:5d:15:ed:29:7f:b5:
    07:04:3b:15:b3:4c:c1:d0:08:d7:e8:26:b7:3c:e0:d0:42:46:
    22:35:b6:0d:cf:c3:14:30:e0:0b:18:6f:fb:fb:26:79:45:e9:
    78:b9:dc:f2:eb:e4:b6:d2:65:8c:c7:cb:86:52:bf:e1:3b:fb:
    83:04:d3:94:fb:14:e8:0b:ef:f1:5e:cb:45:02:bd:fd:cb:8f:
    1f:56:8d:f5:4d:b0:b1:52:1b:26:c8:bb:58:20:f7:93:e2:b8:
    12:cf:42:4b:f8:07:de:d2:9e:f6:f1:2c:79:eb:f1:bc:3f:cb:
    2d:02:17:7b:e3:00:be:7b:78:2b:96:d8:30:e6:c3:99:87:df:
    2b:19:6f:cd:37:15:1b:bb:99:61:07:cb:71:27:5d:57:9b:2d:
    b8:03:c3:5c:3e:ef:1f:3e:38:3c:27:e9:7b:e5:cc:ce:90:7c:
    bb:bc:f9:cf:b4:27:75:81:f4:f6:b4:e0:7b:3b:02:6f:f4:8e:
    95:90:06:92

我们这边 SSLv2 和 SSLv3 被禁用。远程端声称他们也是这样。他们使用 MS Exchange 作为 MTA...

有谁知道这个错误信息与什么有关?

答案1

该问题已解决,请在此处找到解决方案/解决方法:

为特定收件人禁用 Postfix/TLS 中的密码/密码套件

一些后果:我们使用的 openssl 版本(0.9.8j-fips 2009 年 1 月 7 日)对椭圆曲线密码的支持有限。它说

目前我们只支持命名(非通用)曲线,在这种情况下 ECParameters 只有三个字节。

由于收件人正在运行 Exchange Server 2016 CU4,因此它请求带有不受支持的参数的 ECDH 密码。告诉 postfix(通过 tls_policy_map)从密钥交换支持的集合中排除 ECDH 密码(exclude=kECDH),剩下的密码就可以完成这项工作。

感谢所有为解决方案做出贡献的人。

相关内容