On 13 November 2018 at 20:53 Arkadiusz Miśkiewicz < ar...@maven.pl> wrote:
Hi.
I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o todovecot 2.3.3 run with openssl 1.1.1.
Currently I have both variants running with identical configs and certs(the only differences are due to config syntax changes in dovecot 2.3),so for example on both I have:
ssl_ca = </etc/openssl/certs/wildcard_ca.pem(this file contains single intermediate certificate of my CA)
ssl_cert = </etc/openssl/certs/wildcard_crt.pem(this contains single cerificate for my *.example.com domain)
ssl_key = # hidden, use -P to show it(and one key)
No alt certs in use.
Chain is:- CA trusted by clients (this certificate isn't provided by my dovecot,it's not needed)- wildcard_ca.pem - intermediate CA- wildcard_crt.pem - wildcard certificate for my *.example.com domain
dovecot 2.2.36 behaviour is to provide wildcard_ca.pem andwildcard_crt.pem to the client - that behaviour is OK. Client has fulltrust chain.
dovecot 2.3.3 provides only wildcard_crt.pem certificate to the clientwhich is a big problem because missing wildcard_ca.pem (intermediatecertificate) breaks chain and client is not able to verify trust chain.
Testing is done with simple:
openssl s_client -connect my.example.com:143 -starttls imap -servernamemy.example.com -showcerts
2.3.x announcements and upgrade wiki mention no such behaviour change,so I assume it is a regression.
Now doingcat wildcard_ca.pem >> wildcard_crt.pemsolves the problem and dovecot starts providing both certs to clientsbut if that's the proper way of solving this issue then what's the pointof having ssl_ca config setting?
Ideas?
--Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Including ssl_ca with cert is not actually a good idea, but perhaps this should indeed be mentioned in the upgrading page. Not a regression in any case.
---
Aki Tuomi
Aki Tuomi