In data venerdì 6 gennaio 2017 01:34:48 CET, John Fawcett ha scritto:
On 01/05/2017 08:55 PM, Juri wrote:
5 Gennaio 2017 01:21, "John Fawcett" john@voipsupport.it wrote:
On 01/04/2017 08:40 PM, Juri wrote:
Hi Juri
if you find validation failing when you have only the root certificate in the CA file but a chained server+intermediate in the server certificate file, then your analysis makes sense and it seems that the intermediate certificate is not being sent by the server. That ties in with the different error messages between imap and replication.
It might be interesting to do a test with -showcerts parameter.
|openssl s_client -showcerts -connect hostname:|7557 | |openssl s_client -showcerts -connect hostname:993 The bundled version of
Dovecot on Centos 7 is 2.2.10 but I am not using that version. I am on 2.2.26, where I don't have the problem you see and both services send the server and intermediate certificate. I was unable to see any specific patches to the ssl or doveadm code for this issue, though it has undergone a few changes from 2.2.13. John |
I tried what you suggested, and the result is more or less the same as what I wrote in the first message (only the last cert sent on port 7557, and both - the last and the intermediate one - on port 993).
I tried to recompile the same version (2.2.13) on my Arch Linux home PC, and using the same settings and same certs as on the server, all the certificates are correctly being sent on both ports, so I suppose the bug lies in the debian patches - I'll try to report to them.
In the meantime, thank you all for the help!
Juri