[Dovecot] Dovecot SSL limitations

Jose Celestino japc at co.sapo.pt
Mon Nov 30 17:50:00 EET 2009


On Seg, 2009-11-30 at 16:34 +0100, Thomas Hummel wrote:
> Hello Timo,
> 
> I'd like to check if my understanding of dovecot-1.2.x's SSL certificate
> handling is correct :
> 
>     SSL does not provide the server any mechanism to choose which certificate
>     it must send relatively to the name the client is using. Thus, if you want to
>     use different certificates, you have to listen to different addresses. This is
>     an SSL limitation, not a dovecot nor IMAP limitation.
> 
>     This is the reason why it's possible to use different certificates for IMAP
>     and POP3.  But it seems to work only with those two :
> 
>     As a matter of fact, even if you listen to different addresses, how would
>     you tell dovecot to send this certificate for this address and that certificate
>     for that address, since there is no IP dependent section (as in apache IP-based
>     virtual host for instance) ? It seems the only way would be to have more than
>     one instance of dovecot (several dovecot with different config files).
> 
> The problem is that some clients may be configured with mail.my.domain, some
> others with imap.my.domain, ...etc... Hence the need to have different
> certificates with those different names as cn.
> 

The client compares the CN of the certificate with the hostname it has
configured and warns on a mismatch. What you can do is have multiple
subjects certificate, that is a certificate again with a single CN but
with multiple alt subjects that should cover all the names that server
may have. The client should support those kind of certificates, of
course.


-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt
--------------------------------------------------------------------- *
Progress (n.): The process through which Usenet has evolved from smart
people in front of dumb terminals to dumb people in front of smart
terminals.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20091130/2199090e/attachment.bin 


More information about the dovecot mailing list