EC PARAMETERS in privkey.pem break postfix smtpd_tls_chain_file #423

New Issue

adam · 2025-12-29T01:24:53+01:00

adam commented

2025-12-29 01:24:53 +01:00

Originally created by @jcastle-gh on GitHub (Jul 25, 2019).

The privkey.pem contains an EC PARAMETERS pem object followed by the EC PRIVATE KEY pem object. The EC PARAMETERS object is unnecessary because it just contains the name of the standard curve which is already encoded in the key itself. Most software ignores the parameters object but some doesn't and breaks.

For example, in postfix before version 3.4 the EC key file is set in the "smtpd_tls_eckey_file" variable and it is read using SSL_CTX_use_PrivateKey_file() which skips over and discards the EC PARAMETERS object. But postfix 3.4 added a new "smtpd_tls_chain_files" variable which sets all the various key and cert files in one variable, and then postfix reads the files using different code that doesn't tolerate EC PARAMETERS and throws an error:

warning: error loading privkey.pem: unexpected PEM type: EC PARAMETERS
warning: error loading private keys and certificates from: privkey.pem,fullchain.pem: disabling TLS support

Adding a "-noout" switch to the "ecparam -genkey" command tells it not to output the unnecessary EC PARAMETERS object. The resulting key file works with software that would have tolerated it and with the new postfix which does not.

Here's a patch.
ec_noout_patch.txt

Originally created by @jcastle-gh on GitHub (Jul 25, 2019). The privkey.pem contains an EC PARAMETERS pem object followed by the EC PRIVATE KEY pem object. The EC PARAMETERS object is unnecessary because it just contains the name of the standard curve which is already encoded in the key itself. Most software ignores the parameters object but some doesn't and breaks. For example, in postfix before version 3.4 the EC key file is set in the "smtpd_tls_eckey_file" variable and it is read using SSL_CTX_use_PrivateKey_file() which skips over and discards the EC PARAMETERS object. But postfix 3.4 added a new "smtpd_tls_chain_files" variable which sets all the various key and cert files in one variable, and then postfix reads the files using different code that doesn't tolerate EC PARAMETERS and throws an error: > warning: error loading privkey.pem: unexpected PEM type: EC PARAMETERS > warning: error loading private keys and certificates from: privkey.pem,fullchain.pem: disabling TLS support Adding a "-noout" switch to the "ecparam -genkey" command tells it not to output the unnecessary EC PARAMETERS object. The resulting key file works with software that would have tolerated it and with the new postfix which does not. Here's a patch. [ec_noout_patch.txt](https://github.com/lukas2511/dehydrated/files/3429747/ec_noout_patch.txt)

adam closed this issue

2025-12-29 01:24:54 +01:00

adam commented

2025-12-29 01:24:55 +01:00

@jcastle-gh commented on GitHub (Jul 25, 2019):

For background, here are some links that led me to this solution as I was digging down.

An OpenSSL wiki suggesting using -noout to get rid of the EC parameters:
trent.utfs.org wiki

A stack exchange post referenced above explaining what's going on:
security.stackexchange.com

@jcastle-gh commented on GitHub (Jul 25, 2019): For background, here are some links that led me to this solution as I was digging down. An OpenSSL wiki suggesting using -noout to get rid of the EC parameters: [trent.utfs.org wiki](https://trent.utfs.org/wiki/OpenSSL#Private_key) A stack exchange post referenced above explaining what's going on: [security.stackexchange.com](https://security.stackexchange.com/questions/29778/why-does-openssl-writes-ec-parameters-when-generating-private-key)

adam commented

2025-12-29 01:24:56 +01:00

@lukas2511 commented on GitHub (Oct 4, 2019):

You can simply convert / strip / whatever the certificate using a deploy_cert hook. There is no need to do this in dehydrated itself.

@lukas2511 commented on GitHub (Oct 4, 2019): You can simply convert / strip / whatever the certificate using a `deploy_cert` hook. There is no need to do this in dehydrated itself.

adam commented

2025-12-29 01:24:56 +01:00

@jcastle-gh commented on GitHub (Oct 19, 2019):

No software should need the EC PARAMETERS block, as I explained above, and the fix is very straightforward: add a "-noout" command line switch in one openssl call. But instead you're no-fixing it and choosing not to interoperate with a widely used application, and expecting users to figure out the unexpected error and hack around it in a hook script? With respect, that seems like a bad call to me.

Of course it is your call though, so I'll move on.

Dehydrated is nice work and it's working well for me. Thanks for making it.

@jcastle-gh commented on GitHub (Oct 19, 2019): No software should need the EC PARAMETERS block, as I explained above, and the fix is very straightforward: add a "-noout" command line switch in one openssl call. But instead you're no-fixing it and choosing not to interoperate with a widely used application, and expecting users to figure out the unexpected error and hack around it in a hook script? With respect, that seems like a bad call to me. Of course it is your call though, so I'll move on. Dehydrated is nice work and it's working well for me. Thanks for making it.

adam commented

2025-12-29 01:24:56 +01:00

@TokisanGames commented on GitHub (Jun 24, 2021):

For posterity and people searching for Postfix errors, just edit your key file, which looks something like this:

Remove the whole ec parameters block, save, restart postfix and any other software that references it. No need to regenerate the key and certificates.

@TokisanGames commented on GitHub (Jun 24, 2021): For posterity and people searching for Postfix errors, just edit your key file, which looks something like this: ``` -----BEGIN EC PARAMETERS----- BgUrgQQACg== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHQCAQEEIKYV1xoz6smkpdMksfgI8/3465V02UZdaKj4JSH30bBhoAcGBSuBBAAK oUQDQgAEO1O+/xRGEVJgBEAOQorBveXPTQS3c7MA+9R+HEMP7TkscI9FONPclcRb 5sXZJjYHNYWhvxuXdGl8QrFVRIVBYg== -----END EC PRIVATE KEY----- ``` Remove the whole `ec parameters` block, save, restart postfix and any other software that references it. No need to regenerate the key and certificates.

adam commented

2025-12-29 01:24:56 +01:00

@lukas2511 commented on GitHub (Oct 31, 2021):

EC PARAMETERS have been removed

@lukas2511 commented on GitHub (Oct 31, 2021): `EC PARAMETERS` have been removed

adam commented

2025-12-29 01:24:57 +01:00

@someone-somenet-org commented on GitHub (Jul 30, 2024):

The -----BEGIN EC PARAMETERS----- block is still there, Dehydrated version: 0.7.0 as packaged on debian stable+backports.

@someone-somenet-org commented on GitHub (Jul 30, 2024): The ``-----BEGIN EC PARAMETERS----- `` block is still there, ``Dehydrated version: 0.7.0`` as packaged on debian stable+backports.

adam commented

2025-12-29 01:24:57 +01:00

@AgentOak commented on GitHub (Jul 30, 2024):

@someone-somenet-org As you can tell by reading the changelog EC parameters has been removed in 0.7.1.

Debian is a point release distribution, i.e. software versions remain fixed, only security and important bugfixes are applied in between Debian releases. If you believe this bug is important enough to get a fix in the stable release you would have to ask on the Debian bugtracker.

@AgentOak commented on GitHub (Jul 30, 2024): @someone-somenet-org As you can tell by reading the [changelog](https://github.com/dehydrated-io/dehydrated/releases/tag/v0.7.1) EC parameters has been removed in 0.7.1. Debian is a point release distribution, i.e. software versions remain fixed, only security and important bugfixes are applied in between Debian releases. If you believe this bug is important enough to get a fix in the stable release you would have to ask on the Debian bugtracker.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#423