On Sun, Nov 23, 2025 at 02:37:56PM +0100, Geert Hendrickx via Postfix-users
wrote:
> On Sun, Nov 23, 2025 at 11:04:20 +1100, Viktor Dukhovni via Postfix-users
> wrote:
> > So in practice, for most users, your "chain files" should have just an
> > RSA (2048-bit) or just an ECDSA (P-256) certificate. You don't need
> > multiple chains, unless you're particularly sophisticated in your needs
> > and understanding.
>
> Are you sure that just an ECDSA certificate is sufficient nowadays?
> (without RSA fallback)
There are many servers with just ECDSA certificates these days, they
somehow get by. But, sure, if one wants to be extra cautious, then RSA
would be a slightly safer bet. FWIW, my own "mainstream" certificate is
RSA.
> >From my data, I still see a tiny but non-zero amount of senders that only
> support RSA, including some high-profile ones (banks).
Any particular ones?
> And it's usually not because of an outdated implementation, as e.g. they
> do support AES-GCM over TLSv1.2, or even TLSv1.3, and still negotiate RSA.
>
> So I suspect it's rather a configuration issue: having an RSA certificate
> on the server side, they perhaps disabled ECDSA completely, unknowingly
> also impacting their client side TLS capabilities?
It seems as clients, and you have "tls_preempt_cipherlist = yes"? And
both RSA and ECDSA certs, but the banks don't offer RSA signature
algorithms and/or TLS 1.2 ciphersuites?
> > Fortunately, all clients that expect to communicate on today's Internet
> > support both RSA and ECDSA, since a large fraction of servers have
> > certificates for one of these and not the other.
>
> No, unfortunately, RSA-only clients won't fail to communicate with
> ECDSA-only servers; they will just fall back to clear text. :-(
Well, it may be time to stop pretending they're not the problem, let
them suffer.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
