We recently had this error while our postfix MTA tries to encrypt a connection via TLS:
postfix/smtp[20716]: warning: TLS library problem: 20716:error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters:s3_clnt.c:1336:
The certificate of the remote site looks like this (serial No., subject and keys manipulated/replaced):
openssl x509 -noout -text -in cert.cer -inform der
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Validity
Not Before: Dec 01 00:00:00 2016 GMT
Not After : Dec 01 00:00:00 2019 GMT
Subject: C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b7:6b:35:b6:f7:42:84:ed:b3:e7:82:94:e2:84:
f5:92:6b:16:f6:87:65:b7:fb:e4:eb:9b:59:37:45:
53:9d:6f:41:94:2d:1b:17:d2:8f:f8:ce:6e:88:9b:
79:f5:93:3b:77:de:cb:19:b4:3e:d4:49:29:5f:80:
7b:6b:10:30:e9:b3:6f:bb:5e:9f:93:b5:f3:89:f7:
09:31:25:80:6b:89:0e:16:69:84:49:42:4f:c9:b8:
d7:8d:36:2e:c2:b4:d1:57:6e:fd:4d:54:b1:0e:42:
b7:c9:fd:92:be:eb:e4:bd:85:20:fb:48:4b:c4:5c:
ee:e2:15:96:29:e8:0b:18:0d:39:e7:91:b8:92:9f:
b5:0e:6d:8f:91:50:90:98:d1:b0:44:8d:99:b8:51:
63:6b:7d:3f:30:b4:11:e9:99:b5:98:7b:3d:7d:e8:
30:4b:80:c3:11:56:b0:fb:7c:6b:74:79:1b:37:4f:
15:81:79:29:e9:cf:be:b9:0f:d1:1b:6f:7d:67:db:
7e:c4:35:14:18:e6:6e:e1:ec:98:76:9c:78:60:61:
08:4f:9b:4b:bb:14:f7:bd:2b:bb:f3:2b:ed:41:37:
2c:5d:13:83:0e:0b:3b:18:13:3d:8b:dd:9b:bb:5d:
64:5c:b4:47:93:df:6b:bb:81:b7:fb:f5:6d:82:86:
6e:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
X509v3 Subject Key Identifier:
4C:94:CA:33:70:FB:3E:6B:E7:34:24:CC:53:92:64:12:20:B9:8E:65
X509v3 Subject Alternative Name:
DNS:XX, DNS:XX, DNS:XX, DNS:XX
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
URI:http://crl3.digicert.com/ssca-sha2-g5.crl
URI:http://crl4.digicert.com/ssca-sha2-g5.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.2.2
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
27:be:23:6c:21:9f:eb:44:52:3b:cc:0f:b0:b4:52:40:b6:1c:
91:ef:87:c6:44:98:8b:7c:e9:3b:db:15:d0:11:26:cb:02:8e:
e6:e6:eb:fb:89:3c:fd:56:fb:00:cb:e5:32:56:96:92:7e:11:
3b:bb:52:66:f0:d5:58:b8:c9:83:e4:bf:5d:15:ed:29:7f:b5:
07:04:3b:15:b3:4c:c1:d0:08:d7:e8:26:b7:3c:e0:d0:42:46:
22:35:b6:0d:cf:c3:14:30:e0:0b:18:6f:fb:fb:26:79:45:e9:
78:b9:dc:f2:eb:e4:b6:d2:65:8c:c7:cb:86:52:bf:e1:3b:fb:
83:04:d3:94:fb:14:e8:0b:ef:f1:5e:cb:45:02:bd:fd:cb:8f:
1f:56:8d:f5:4d:b0:b1:52:1b:26:c8:bb:58:20:f7:93:e2:b8:
12:cf:42:4b:f8:07:de:d2:9e:f6:f1:2c:79:eb:f1:bc:3f:cb:
2d:02:17:7b:e3:00:be:7b:78:2b:96:d8:30:e6:c3:99:87:df:
2b:19:6f:cd:37:15:1b:bb:99:61:07:cb:71:27:5d:57:9b:2d:
b8:03:c3:5c:3e:ef:1f:3e:38:3c:27:e9:7b:e5:cc:ce:90:7c:
bb:bc:f9:cf:b4:27:75:81:f4:f6:b4:e0:7b:3b:02:6f:f4:8e:
95:90:06:92
On our side SSLv2 and SSLv3 are disabled. The remote side claim this is true for them also. They are using MS Exchange as the MTA…
Has anyone an idea to what this error message is related?
Best Answer
This problem has been solved, please find the solution/workaround here:
Disabling a cipher / cipher suite in postfix / TLS for specific recipient
Some aftermath: The openssl version we use (0.9.8j-fips 07 Jan 2009) has limited support for elliptic curve ciphers. It says
Because the recipient has Exchange Server 2016 CU4 running, it requests an ECDH cipher with unsupported parameters. Telling postfix (via tls_policy_map) to exclude ECDH ciphers from the supported set for key exchange (exclude=kECDH) the left ciphers do the job.
Thanks to all who have contributed to the solution.