Hi! The pipe syntax has never worked, no idea why you think it would have. Unfortunately at the moment, files are your best option. I do understand the annoyance.
Aki > On 12/10/2022 13:54 EEST Paul Kudla (SCOM.CA Internet Services Inc.) > <p...@scom.ca> wrote: > > > ok thanks for your input > > I finally tracked down the issue > > It was how i was loading the certificates in the first place > > that being said (and i must have missed this) 2.3.18 seems to allow > importing a cert from a program > > thus sni config > > local_name mail.paulkudla.net { > ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes > ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes > ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes > } > > would work instead of file pipes from individual text files. > > > #local_name mail.paulkudla.net { > # ssl_key =</usr/local/etc/dovecot/pk.key > # ssl_cert =</usr/local/etc/dovecot/pk.crt > # ssl_ca =</usr/local/etc/dovecot/pk.ca > #} > > 2.3.19 apparently no longer supports this? > > aki is there a way to pipe the cert from a program file (as indicated above) > > I am sure you can appreciate generating files for 1000+ ssl certs can > become a nightmare management wise > > either that or a pgsql select ? > > I have gone back to text files in the mean time ? > > > > Happy Wednesday !!! > Thanks - paul > > Paul Kudla > > > Scom.ca Internet Services <http://www.scom.ca> > 004-1009 Byron Street South > Whitby, Ontario - Canada > L1N 4S3 > > Toronto 416.642.7266 > Main 1.866.411.7266 > Fax 1.888.892.7266 > Email p...@scom.ca > > On 10/11/2022 12:46 PM, Jochen Bern wrote: > > > > On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote: > >> ok according to > >> https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html > >> SAN is not a valid option along with CN > > > > ... I don't see that being said in the page you refer to? > > > > Anyhow, "stop giving a CN, use SANs instead" is a rather recent > > development coming from the CA/Browser Forum - and IIUC still not a > > *requirement*, not even for web browsers/servers. I would be surprised > > if OpenSSL (already) were trying to enforce that policy. > > > > Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ? > > > >> $ openssl s_client -connect outlook.office365.com:993 -showcerts | > >> openssl x509 -noout -text > > [...] > >> Subject: C = US, ST = Washington, L = Redmond, O = Microsoft > >> Corporation, CN = outlook.com > > [...] > >> X509v3 Subject Alternative Name: > >> DNS:*.clo.footprintdns.com, DNS:*.hotmail.com, > >> DNS:*.internal.outlook.com, [...] > > > > ... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get > > indigestion over. > > > >> Upoin further testing thunderbird seems to be locking onto the primary > >> domain (*.scom.ca) of the server skipp any sni setup ?? > > > > You might want to get a network trace of your Thunderbird talking to the > > server to see what cert actually is presented by the server, and > > ideally, what domain is requested by SNI (if at all). That all happens > > before the connection starts to be encrypted, so you should be able to > > read it (say, with Wireshark) without having to crack any crypto ... > > > > Kind regards,