This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MTAs supporting TLS with ECC

Hi there,

 

I was wondering if anybody could estimate if the use of an elliptic curve certificate for mail TLS is supported by the most MTAs?

We gave that a try about 2 years ago but rolled back to an RSA cert because much MTAs dropped the connection.

 

I also did not find any statistics about the usage of that.

 

Kind regards,

Andi



This thread was automatically locked due to age.
  • Hallo Andi and welcome to the UTM Community!

    I Googled elliptic curve certificate mta acceptance rate and found this comment by Digicert:

    "While ECC has some benefits, there are also major drawbacks that you should consider before moving to ECC. Most importantly, not all browsers and servers support ECC certificates and support in mobile platforms has not been thoroughly tested. Another concern is that while ECC is faster overall, the ECC signature verification can be a computationally intensive task and may be slower than RSA on some devices."

    If you decide to try it and monitor the SMTP log, please let us know your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    thanks for your answer.

    Yes, I also found this statement while searching about some kind of acceptance rate, statistics or something like that.

    Also I do not know when this was published.

     

    I think it would be easier to wait some more time and using an RSA-Certificate.

     

    Cheers,

    Andi

  • ## UPDATED ##

    Hi Andi,

    I'm testing it at the moment and at this moment I encounter serious problems with the exim mta @ the utm.

    Result is no tls possible yet.

    Support case is created. When a solution is there I'll post the feedback.

    # UPDATE 10 September 2020 #

    Currently a support case is created. Preliminary research pointed out the following:

    current exim version does not support ECC at all. (https://bugs.exim.org/show_bug.cgi?id=1397)

    Errors in the smtp.log will show the following:

    error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

    TLS client disconnected cleanly (rejected our certificate?)

    This is supposed to go direction GES/DEV in a short while. 

    I'll keep you updated on this.

     

     

    Regards,

     

    Arno

  • ## Latest Update ##

    The development team has planned to resolve this issue in the firmware version 9.706 MR6. 
    This version is currently expected to be release by the End of November and this might get change based on other priorities.

    (but support has a fix available with the Exim 4.86 patch)

    On my side the patch will be done soon and I will test it and will report back to the community