On 2022-08-21 19:46:31 +0000, Slavko via mailop wrote:
Is that typo? AFAIK both these cipher suites are usable only with RSA certificate, they difers only by ephemeral key exchange algo...
Sorry, you're right that it's a typo. I just re-tested and want to clarify that: ECDHE-RSA-AES128-GCM-SHA256 is exclusive to RSA certificates, and ECDHE-ECDSA-AES128-GCM-SHA256 is exclusive to EC certificates, which is less widely supported by other MTAs.
I've hobbled up a script to enumerate ciphersuites at https://gist.github.com/ahrex/8d2c15086a116bb9388424c40687f20f, which you can use to scan your local MTA to see what it supports as a server. You may also try this on remote MTAs, though they may not be as friendly to scans. Of course YMMV, since there's no guarantee that ciphersuites presented by remote MTAs as a server are the same as what's supported when they're a client connecting to you, so .pcaps are the best way to tell.
Thanks for spotting my typo, -- Alex _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
