On 05/28/18 11:08, Aki Tuomi wrote:
On 28.05.2018 12:06, Hauke Fath wrote:
On 05/21/18 17:55, Aki Tuomi wrote:
ssl_ca is used only for validating client certificates.
But it was used (though not documented, IIRC) for validating server certs, too. Since intermediate CA certs are usually valid a lot longer than the server certs, having to concat the certs is awkward, at best.
As far as I know, it has never been working as replacement for adding the chain to cert file.
Well, you know your code better than I. ;)
But it has worked for us here pre-2.3 (see https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html ff., and confirmed by https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html).
And from an admin POV, it makes a lot of sense to keep the intermediate cert chain separate from the server cert.
Cheerio, hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344