Re: Dovecot 2.3.0 TLS

On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:

Was the certificate path bundled in the server certificate?

No, as a separate file, provided from the local (intermediate) CA:

ssl_cert = </etc/openssl/certs/server.cert ssl_key = </etc/openssl/private/server.key ssl_ca = </etc/openssl/certs/ca-cert-chain.pem

Worked fine with 2.2.x, 2.3 gives

% openssl s_client -connect XXX:993 CONNECTED(00000006) depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de verify error:num=21:unable to verify the first certificate verify return:1

Certificate chain 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet Darmstadt/CN=TUD CA G01/emailAddress=tud-ca@hrz.tu-darmstadt.de

Server certificate -----BEGIN CERTIFICATE----- [...] %

-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344