On Thu, Dec 18, 2025 at 11:09:35AM +1100, Viktor Dukhovni wrote:
> Yes, the client may be at fault, though perhaps somewhat indirectly, as
> it might support ECC generally, but lack the associated ECC root CA in
> its CA trust store. And its (also unwise) policy might simply be to
> require a trusted certificates (even absent MTA-STS or similar good
> reason to expect a validatable trust chain).
Well, actually, the client can reasonably expect a validatable chain in the
specific case of charite.de, because an MTA-STS policy is actually in
place (presumably since ~2019).
$ hsdig -t txt _mta-sts.gmail.com
; NOERROR qr rd ra
_mta-sts.gmail.com. IN TXT "v=STSv1; id=20190429T010101;"
$ curl -sLo - https://mta-sts.charite.de/.well-known/mta-sts.txt; echo
version: STSv1
mode: enforce
mx: mail-cbf-ext.charite.de
mx: mail-cvk-ext.charite.de
max_age: 1209600
The lines of that "mta-sts.txt" file are not quite conformant with
RFC8461, which specifies <CRLF> not <LF> line separators. And it might
be prudent to also use a <CRLF> terminator for the last line, even
though that's not strictly required.
https://datatracker.ietf.org/doc/html/rfc8461#section-3.2
...
This resource contains the following CRLF-separated key/value pairs:
...
The ECDSA chain is:
$ posttls-finger -cC -Lsummary -lsecure -F /etc/pki/tls/cert.pem
"[mail-cbf-ext.charite.de]"
posttls-finger: Verified TLS connection established to
mail-cbf-ext.charite.de[193.175.73.208]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
x25519
server-signature ECDSA (prime256v1) server-digest SHA256
---
Certificate chain
0 subject: /C=DE/ST=Berlin/O=Charite - Universitaetsmedizin
Berlin/CN=mail-cbf-ext.charite.de
issuer: /C=GR/O=Hellenic Academic and Research Institutions CA/CN=GEANT
TLS ECC 1
cert
digest=53:4A:F7:70:73:80:EF:38:8E:30:E3:74:7A:73:F3:81:EB:B1:1E:EE:D1:2E:4C:55:12:3C:F0:C4:32:9D:74:F9
pkey
digest=85:DB:24:0C:0A:25:51:D3:25:01:9D:4B:06:64:A9:2F:6A:A8:9E:15:9B:B3:67:FB:9D:5E:92:86:1C:A8:08:A3
-----BEGIN CERTIFICATE-----
MIIFFDCCBJugAwIBAgIQfUaYbEPE+9guEi1OEgs3DDAKBggqhkjOPQQDAzBgMQsw
CQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh
cmNoIEluc3RpdHV0aW9ucyBDQTEYMBYGA1UEAwwPR0VBTlQgVExTIEVDQyAxMB4X
DTI1MTEyNzE0MjQyOVoXDTI2MTEyNzE0MjQyOVowcDELMAkGA1UEBhMCREUxDzAN
BgNVBAgMBkJlcmxpbjEuMCwGA1UECgwlQ2hhcml0ZSAtIFVuaXZlcnNpdGFldHNt
ZWRpemluIEJlcmxpbjEgMB4GA1UEAwwXbWFpbC1jYmYtZXh0LmNoYXJpdGUuZGUw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQNgESVS0q5nhBtDWUyOelukblOdmG/
vrawnW8kEnRQfegkrfpXdTiJ7beca3Cg4OUZX+r1pN02ir/hjRTLSiP0o4IDJTCC
AyEwHwYDVR0jBBgwFoAU6ZkGjRcfq/uWGlrIW15dXuzanI8wbwYIKwYBBQUHAQEE
YzBhMDgGCCsGAQUFBzAChixodHRwOi8vY3J0LmhhcmljYS5nci9IQVJJQ0EtR0VB
TlQtVExTLUUxLmNlcjAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AtdGxzLmhhcmlj
YS5ncjBQBgNVHREESTBHghdtYWlsLWNiZi1leHQuY2hhcml0ZS5kZYIXbWFpbC1j
YmYtaW50LmNoYXJpdGUuZGWCE21haWwtY2JmLmNoYXJpdGUuZGUwLQYDVR0gBCYw
JDAIBgZngQwBAgIwCAYGBACPegEHMA4GDCsGAQQBgc8RAQEBAjAdBgNVHSUEFjAU
BggrBgEFBQcDAgYIKwYBBQUHAwEwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2Ny
bC5oYXJpY2EuZ3IvSEFSSUNBLUdFQU5ULVRMUy1FMS5jcmwwHQYDVR0OBBYEFF1+
IdTwhgfa4cElgTYbQA7ZLDnPMA4GA1UdDwEB/wQEAwIHgDCCAX0GCisGAQQB1nkC
BAIEggFtBIIBaQFnAHYAr2eIO1ewTt2Pptl+9i6o64EKx3Fg8CReVdYML+eFhzoA
AAGaxby5MQAABAMARzBFAiEAtTrUlObPd7qT5SV/Tp8TrYcmpOrctXDFNJ0ccQLe
9xkCICua5hC56V832PZM0YjjnNcvrvK44MCyZ9nKqf9v03FOAHUAlE5Dh/rswe+B
8xkkJqgYZQHH0184AgE/cmd9VTcuGdgAAAGaxby5NQAABAMARjBEAiBVmK/Ta28w
kT9NbpcZvbCIbnrT2f/GWr84e2gO3geqjgIgK+VdAbIU7235rqgTLeFKOSLxqalD
3S1z47SDQpX07xkAdgDYCVU7lE96/8gWGW+UT4WrsPj8XodVJg8V0S5yu0VLFAAA
AZrFvLkAAAAEAwBHMEUCIQDt/VGLapzJ5gjMNzzhaAfY6ggZ9hD1LeaqZEOPzG7A
IAIgJ7pmqSTYGW2rw90LZsLquRoXPU6SzzJMJH719h+pgQswCgYIKoZIzj0EAwMD
ZwAwZAIwS++B9wbfEKAYIdWm4pmHCMREZ+UDwaGgDFDYqHznLCbgFhxLgCsCF92g
MLoIxVuMAjBSaLicWSdYTm8FUntgy2OjpkgKq2NpxdryTBsC4imBWFdm8XjN3TUD
fZqSRxVnIVc=
-----END CERTIFICATE-----
1 subject: /C=GR/O=Hellenic Academic and Research Institutions CA/CN=GEANT
TLS ECC 1
issuer: /C=GR/O=Hellenic Academic and Research Institutions
CA/CN=HARICA TLS ECC Root CA 2021
cert
digest=6C:DF:0B:A1:71:1E:85:6D:22:8B:A0:0C:A0:4C:5C:1C:3D:79:94:4C:03:7B:71:3B:15:5A:4E:E4:B4:7E:C5:3C
pkey
digest=7A:31:4A:07:27:73:D7:96:75:37:53:FE:6F:9C:00:D4:12:CA:DB:C3:B7:BC:B9:DF:ED:C5:10:5B:8A:EA:DF:EA
-----BEGIN CERTIFICATE-----
MIIDNzCCArygAwIBAgIQQv3c4SYWB+Gl5pNaQAFh3TAKBggqhkjOPQQDAzBsMQsw
CQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh
cmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBFQ0MgUm9v
dCBDQSAyMDIxMB4XDTI1MDEwMzExMTQyMVoXDTM5MTIzMTExMTQyMFowYDELMAkG
A1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJj
aCBJbnN0aXR1dGlvbnMgQ0ExGDAWBgNVBAMMD0dFQU5UIFRMUyBFQ0MgMTB2MBAG
ByqGSM49AgEGBSuBBAAiA2IABANPWLwh0Za2UqtbLV7/qNRm78zsttgSuvhn73bU
GtxETsVOEZeMUfMjgHw8EwrsSJI9oj0CgZQFFSEY1NJfcxA/NJiOYJUKPsFbpOrY
dr0q4g+aBZsXWeh7bMCzx24g/aOCAS0wggEpMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HwYDVR0jBBgwFoAUyRtTgRL+BNUW0aq8mm+3oJUZbsowTQYIKwYBBQUHAQEEQTA/
MD0GCCsGAQUFBzAChjFodHRwOi8vY3J0LmhhcmljYS5nci9IQVJJQ0EtVExTLVJv
b3QtMjAyMS1FQ0MuY2VyMBEGA1UdIAQKMAgwBgYEVR0gADAdBgNVHSUEFjAUBggr
BgEFBQcDAgYIKwYBBQUHAwEwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybC5o
YXJpY2EuZ3IvSEFSSUNBLVRMUy1Sb290LTIwMjEtRUNDLmNybDAdBgNVHQ4EFgQU
6ZkGjRcfq/uWGlrIW15dXuzanI8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMD
A2kAMGYCMQD2M1caaY2OwmthgmANUQg3LBLI0/2LiCdxa2zNq0G59wVzbjEk0cR/
px52OegIwRACMQCk+iTmBlR6Xfv6igiiaFiPYfN2HfbcYLWbot5DZ2H1b4JVJV+V
rga7uu50SDG9hf4=
-----END CERTIFICATE-----
2 subject: /C=GR/O=Hellenic Academic and Research Institutions
CA/CN=HARICA TLS ECC Root CA 2021
issuer: /C=GR/L=Athens/O=Hellenic Academic and Research Institutions
Cert. Authority/CN=Hellenic Academic and Research Institutions ECC RootCA 2015
cert
digest=50:E2:7F:90:EB:6A:F4:95:B0:E6:EE:B6:55:CC:89:44:4C:27:D3:C9:5B:68:23:FA:02:AB:DC:95:F1:63:6A:E1
pkey
digest=FC:78:43:00:EC:8D:F4:D3:D1:BA:D7:63:83:51:82:91:8D:52:A9:FF:02:38:BD:F6:95:A1:CD:9B:DB:98:32:1C
-----BEGIN CERTIFICATE-----
MIIDezCCAwGgAwIBAgIQcWAnyIV6c1Qt71FsHC7rDzAKBggqhkjOPQQDAzCBqjEL
MAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMg
QWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3Jp
dHkxRDBCBgNVBAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0
aXR1dGlvbnMgRUNDIFJvb3RDQSAyMDE1MB4XDTIxMDkwMjA3NDQzN1oXDTI5MDgz
MTA3NDQzNlowbDELMAkGA1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRl
bWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklD
QSBUTFMgRUNDIFJvb3QgQ0EgMjAyMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDgI
/rGgltJ6rK9JOtDA4MM7KKrxcm1lAEeIhPyaJmuqS7psBAqIXhfyVYf8MLA04jRY
VxqEU+kw2anylnTDUR9YSTHMmE5gEYd103KUkE+bECUqqHgtvpBBWJAVcqeht6OC
AScwggEjMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUtCILgpkkAQ6cu+QO
/b/7lyCTmSowTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNodHRwOi8vcmVw
by5oYXJpY2EuZ3IvY2VydHMvSGFyaWNhRUNDUm9vdENBMjAxNS5jcnQwEQYDVR0g
BAowCDAGBgRVHSAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA9BgNV
HR8ENjA0MDKgMKAuhixodHRwOi8vY3JsLmhhcmljYS5nci9IYXJpY2FFQ0NSb290
Q0EyMDE1LmNybDAdBgNVHQ4EFgQUyRtTgRL+BNUW0aq8mm+3oJUZbsowDgYDVR0P
AQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMQCPc45gQV6pCkMR4px3k+YnF0Mo
DpXQ0+0lWz7fnplqgHn+qHmoKrE5Y/bcWucG6QQCMB/DIYjUTGAl5j07G7ZIuK3Q
ehx68VPXTwvJ9tLbh9A9SkiBmJGpiHL7Rzfxa5CptQ==
-----END CERTIFICATE-----
The "Hellenic Academic and Research Institutions ECC RootCA 2015" root
CA does not appear to have a cross-certificate from any another root
CA (at least not in the CT logs): https://crt.sh/?caid=14546
So, if mimecast for some reason don't include it in their trust store,
charite.de are out of luck for that ECC chain. No idea where mimecas
get their trusted roots from, it is included in recent Fedora trusted
CA lists:
$ grep -C1 'Hellenic Academic and Research Institutions ECC RootCA 2015'
/etc/pki/tls/cert.pem
# Hellenic Academic and Research Institutions ECC RootCA 2015
-----BEGIN CERTIFICATE-----
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
