Multiple certificate option SNI
Jean-Daniel Dupas
jddupas at xooloo.com
Fri Sep 13 16:43:08 EEST 2019
> Le 13 sept. 2019 à 12:10, Maciej Milaszewski IQ PL via dovecot <dovecot at dovecot.org> a écrit :
>
> Hi
> I have some problem with SNI and dovecot 2.2.36.4
>
> Server debian 9.x ad dovecot-2.2.36.4
>
> default server ssl cert is a wildcard like *.domain.com (digicert)
>
> ssl_ca = /var/control/cert.pem
> ssl_cert = </var/control/cert.pem
>
> I added for test another domain (in dns to) for another ssl (letsencrypt)
>
> from https://wiki.dovecot.org/SSL/DovecotConfiguration
>
> like:
>
> local_name imap.mail.test.domain.com {
> ssl_cert = </etc/dovecot/ssl/imap.mail.test.domain.com.pem
> ssl_key = < /etc/dovecot/ssl/imap.mail.test.domain.com.key
> }
>
>
> doveconf -n:
>
> local_name imap.mail.test.domain.com {
> ssl_cert = </etc/dovecot/ssl/imap.mail.test.domain.com.pem
> ssl_key = # hidden, use -P to show it
> }
>
> Now I test like:
> openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1
>
> and dovecot show me default server cert (digicert) but not dedicated
> from letsencrypt
>
> In DNS domain imap.mail.test.domain.com is not match *.domain.com
>
> Any idea ?
>
AFAIK, the -connect option of openssl is not use for SNI, but only for IP resolution.
To enable SNI, you have to explicitly pass it using '-servername' parameter.
More information about the dovecot
mailing list