ok thanks for your input
I finally tracked down the issue
It was how i was loading the certificates in the first place
that being said (and i must have missed this) 2.3.18 seems to allow
importing a cert from a program
thus sni config
local_name mail.paulkudla.net {
ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes
ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes
ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes
}
would work instead of file pipes from individual text files.
#local_name mail.paulkudla.net {
# ssl_key =</usr/local/etc/dovecot/pk.key
# ssl_cert =</usr/local/etc/dovecot/pk.crt
# ssl_ca =</usr/local/etc/dovecot/pk.ca
#}
2.3.19 apparently no longer supports this?
aki is there a way to pipe the cert from a program file (as indicated above)
I am sure you can appreciate generating files for 1000+ ssl certs can
become a nightmare management wise
either that or a pgsql select ?
I have gone back to text files in the mean time ?
Happy Wednesday !!!
Thanks - paul
Paul Kudla
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca
On 10/11/2022 12:46 PM, Jochen Bern wrote:
On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
ok according to
https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
SAN is not a valid option along with CN
... I don't see that being said in the page you refer to?
Anyhow, "stop giving a CN, use SANs instead" is a rather recent
development coming from the CA/Browser Forum - and IIUC still not a
*requirement*, not even for web browsers/servers. I would be surprised
if OpenSSL (already) were trying to enforce that policy.
Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ?
$ openssl s_client -connect outlook.office365.com:993 -showcerts |
openssl x509 -noout -text
[...]
Subject: C = US, ST = Washington, L = Redmond, O = Microsoft
Corporation, CN = outlook.com
[...]
X509v3 Subject Alternative Name:
DNS:*.clo.footprintdns.com, DNS:*.hotmail.com,
DNS:*.internal.outlook.com, [...]
... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get
indigestion over.
Upoin further testing thunderbird seems to be locking onto the primary
domain (*.scom.ca) of the server skipp any sni setup ??
You might want to get a network trace of your Thunderbird talking to the
server to see what cert actually is presented by the server, and
ideally, what domain is requested by SNI (if at all). That all happens
before the connection starts to be encrypted, so you should be able to
read it (say, with Wireshark) without having to crack any crypto ...
Kind regards,