> On May 8, 2019, at 4:23 PM, Michael Richardson <mcr@xxxxxxxxxxxx> wrote: > > My questions about the documentation of the callbacks remain. > Having solved the problem, I'm pretty certain the the "no shared cipher" > error message is way too overloaded. It sounds like you failed to load a matching key pair into the server's SSL context (something that you would typically check as part of setting the certificate chain and private key). Once the server context has no signing keys, it can only negotiate anon-DHE and anon-ECDHE ciphers, but the client did not offer these, so you got "no shared cipher", which is fact correct. > Some piece of code is clearly doing something useful, which is to check if > the public/private key match. Unfortunately, that code is not announcing > the mismatch in a useful way. The check is done at configuration time. You're likely not doing the key setup "by the book": https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L600-L623 -- Viktor. -- Viktor.
