On Sun, 2010-05-16 at 00:52 +0100, Matthew Sackman wrote: > After many hours of testing, I've finally tracked down the issue I have > been having with dovecot's SSL support. The problem is that the SSL > certs result in "TLS handshaking: SSL_accept() syscall failed: > Connection reset by peer" errors *if the certificate granted is not > granted for client use*.
Most likely client decided that the cert wasn't valid and disconnected. > If you just do that, then the SSL certificate doesn't work in dovecot > (it will work fine in Apache, or Postfix etc etc). You also need the > certificate to be valide for client side work: .. > I believe this is a fault with Dovecot. Maybe it's just that the email clients don't like it, while web browsers don't care as much? Although I'd guess email clients also wouldn't like Postfix.. Anyway, I don't really know what I could do about this. Except add a check to log an error if keyUsage doesn't contain digitalSignature, but I don't know if that's a good idea either.