On Seg, 2009-11-30 at 16:34 +0100, Thomas Hummel wrote: > Hello Timo, > > I'd like to check if my understanding of dovecot-1.2.x's SSL certificate > handling is correct : > > SSL does not provide the server any mechanism to choose which certificate > it must send relatively to the name the client is using. Thus, if you > want to > use different certificates, you have to listen to different addresses. > This is > an SSL limitation, not a dovecot nor IMAP limitation. > > This is the reason why it's possible to use different certificates for > IMAP > and POP3. But it seems to work only with those two : > > As a matter of fact, even if you listen to different addresses, how would > you tell dovecot to send this certificate for this address and that > certificate > for that address, since there is no IP dependent section (as in apache > IP-based > virtual host for instance) ? It seems the only way would be to have more > than > one instance of dovecot (several dovecot with different config files). > > The problem is that some clients may be configured with mail.my.domain, some > others with imap.my.domain, ...etc... Hence the need to have different > certificates with those different names as cn. >
The client compares the CN of the certificate with the hostname it has configured and warns on a mismatch. What you can do is have multiple subjects certificate, that is a certificate again with a single CN but with multiple alt subjects that should cover all the names that server may have. The client should support those kind of certificates, of course. -- Jose Celestino SAPO.pt::Systems http://www.sapo.pt --------------------------------------------------------------------- * Progress (n.): The process through which Usenet has evolved from smart people in front of dumb terminals to dumb people in front of smart terminals.
signature.asc
Description: This is a digitally signed message part