When I use the RSA cert, everything goes well.
However, after I switch to ECC cert, the connection can't be established,
and I get an "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error.
Is it because Mailu doesn't support ECC cert or just it is misconfigured?
Thank you.
Cipher support is defined in Nginx. Currently we support the following:
https://github.com/Mailu/Mailu/blob/4733f15c0ca50d9fabbc7fe6d351763186666f3e/core/nginx/conf/tls.conf#L2
Thanks for your reply.
Hope it will be supported in the future.
Hi, if you can be specific about the Cipher string, we can look into supporting it. Provided it is a safe cipher.
The Cipher string is ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and the like,
listed in https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4.
It is said that ECDSA requires smaller key size to provide the same security level.
However, since RSA is more widely used, it might bring compatibility problems.
Anyway, it may be worth a try.
I'm not sure if all relevant mail clients support ECC certs… and a dual-cert setup is even less supported…
I would strongly advice against using ECC certs for production systems if you have no control over the clients.
I guess supporting it does not hurt anybody? It's the admin's own problem when his users are using clients that don't support the cipher and start complaining :stuck_out_tongue:
Yeah, I just wanted to warn everyone who stumbles upon this issue :grinning:
Any PR to update this is welcome I would say. Especially if backed by a reference TLS config.
Hi,
@DCsunset — would it be possible for you if the recent merge of #1321 indeed fixed this issue for you?
Thanks! It is now possible to use ECC cert.
Most helpful comment
I guess supporting it does not hurt anybody? It's the admin's own problem when his users are using clients that don't support the cipher and start complaining :stuck_out_tongue: