On 20/12/2018 12:37, Marc Roos wrote:> > You have to create your own ca, and then create the certificate. I doubt > if you will be able to find companies like DigiCert or Comodo to do > this. > > If you want, I can try sign it with our own 'internal' CA. The only > thing you have to do is of course adding our CA to your ca bundle but > that is very easy in CentOS7 >Thank you, Marc. We created our own CA and certificates just fine. The problem is that SSL does not seem to like them giving the error I mentioned in the previous message: dovecot: imap-login: Error: SSL: Stacked error: error:04075070:rsa routines:RSA_sign:digest too big for rsa key What would an SSL+Dovecot expert do if this error was encountered? A 1024 bit key works just fine but we have to stick to 256.
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 20 December 2018 at 12:50 Stavros Tsolakos <
<a
href="mailto:stsolakos@gmail.com">stsolakos@gmail.com</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On 20/12/2018 12:37, Marc Roos wrote:
</div>
<blockquote type="cite">
<div>
<br>
</div>
<div>
You have to create your own ca, and then create the certificate. I doubt
</div>
<div>
if you will be able to find companies like DigiCert or Comodo to do
</div>
<div>
this.
</div>
<div>
<br>
</div>
<div>
If you want, I can try sign it with our own 'internal' CA. The only
</div>
<div>
thing you have to do is of course adding our CA to your ca bundle but
</div>
<div>
that is very easy in CentOS7
</div>
<div>
<br>
</div>
</blockquote>
<div>
Thank you, Marc.
</div>
<div>
<br>
</div>
<div>
We created our own CA and certificates just fine. The problem is that
</div>
<div>
SSL does not seem to like them giving the error I mentioned in the
</div>
<div>
previous message:
</div>
<div>
<br>
</div>
<div>
dovecot: imap-login: Error: SSL: Stacked error: error:04075070:rsa
</div>
<div>
routines:RSA_sign:digest too big for rsa key
</div>
<div>
<br>
</div>
<div>
What would an SSL+Dovecot expert do if this error was encountered? A
</div>
<div>
1024 bit key works just fine but we have to stick to 256.
</div>
</blockquote>
<div>
You need to use a weak TLS algorithm. 256 bit rsa key can contain less than
32 bytes of data so you need to use sha1 based tls algorithm.
</div>
<div>
<br>
</div>
<div class="io-ox-signature">
---
<br>Aki Tuomi
</div>
</body>
</html>
The problem is on creation of the key... Look at this topic https://stackoverflow.com/a/15092703/8647326 On 12/20/2018 01:02 PM, Aki Tuomi wrote:> >> On 20 December 2018 at 12:50 Stavros Tsolakos < stsolakos at gmail.com >> <mailto:stsolakos at gmail.com>> wrote: >> >> >> On 20/12/2018 12:37, Marc Roos wrote: >>> >>> You have to create your own ca, and then create the certificate. I >>> doubt >>> if you will be able to find companies like DigiCert or Comodo to do >>> this. >>> >>> If you want, I can try sign it with our own 'internal' CA. The only >>> thing you have to do is of course adding our CA to your ca bundle but >>> that is very easy in CentOS7 >>> >> Thank you, Marc. >> >> We created our own CA and certificates just fine. The problem is that >> SSL does not seem to like them giving the error I mentioned in the >> previous message: >> >> dovecot: imap-login: Error: SSL: Stacked error: error:04075070:rsa >> routines:RSA_sign:digest too big for rsa key >> >> What would an SSL+Dovecot expert do if this error was encountered? A >> 1024 bit key works just fine but we have to stick to 256. > You need to use a weak TLS algorithm. 256 bit rsa key can contain less > than 32 bytes of data so you need to use sha1 based tls algorithm. > > --- > Aki Tuomi-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181220/c223cdc1/attachment.html>