Extra intermediate certificate when using ssl_alt_cert

John Fawcett john at voipsupport.it
Sat Mar 10 15:33:31 EET 2018


On 10/03/18 14:20, John Fawcett wrote:
> On 10/03/18 14:06, Aki Tuomi wrote:
>>
>>> On 10 March 2018 at 14:49 John Fawcett < john at voipsupport.it
>>> <mailto:john at voipsupport.it>> wrote:
>>>
>>>
>>> On 08/03/18 18:43, Peter Linss wrote:
>>>> I just added an ECDSA certificate to my mail server using
>>>> ssl_alt_cert (the RSA certificate is specified by ssl_cert), both
>>>> certificate files contain the certificate and a single intermediate
>>>> (which currently happens to be the same intermediate from Let’s
>>>> Encrypt).
>>>> When connecting to the server using either RSA or ECDSA ciphers,
>>>> the server sends the proper certificate, but also sends two
>>>> intermediates. Apparently it’s reading the intermediate from both
>>>> files and using both for all situations, rather than using only the
>>>> intermediate in the RSA file for RSA certificates, and the
>>>> intermediate in the ECDSA file for ECDSA certificates. I expect
>>>> this will be a bigger problem when Let’s Encrypt starts using ECDSA
>>>> intermediates.
>>>> Removing the intermediate from the ssl_alt_cert file solves the
>>>> problem (but then doesn’t allow an ECDSA intermediate to be
>>>> specified).
>>> I believe that supplying multiple unrelated intermediate
>>> certificates is
>>> an incorrect behaviour, though I don't know if this is a problem that
>>> can be solved in Dovecot or has to be addressed in openssl itself.
>>>
>>> Do you get any issue in certificate validation in the client?
>>>
>>> John
>>
>> You sure your cert file does not contain unrelated certificates?
>> ---
>> Aki Tuomi
>
> Aki
>
> I'll leave Peter to respond about his cert files, but in the test I
> did, each the ssl_cert and ssl_alt_cert each contained the server cert
> and the next cert in the chain. However, both intermediates were
> supplied whether using RSA or ECDSA.
>
> John
>
May need to look into using SSL_CTX_add1_chain_cert() instead of
SSL_CTX_add_extra_chain_cert()

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180310/6492771f/attachment.html>


More information about the dovecot mailing list