On 28.05.2018 13:05, Hauke Fath wrote:
On 05/28/18 11:08, Aki Tuomi wrote:
On 28.05.2018 12:06, Hauke Fath wrote:
On 05/21/18 17:55, Aki Tuomi wrote:
ssl_ca is used only for validating client certificates.
But it was used (though not documented, IIRC) for validating server certs, too. Since intermediate CA certs are usually valid a lot longer than the server certs, having to concat the certs is awkward, at best.
As far as I know, it has never been working as replacement for adding the chain to cert file.
Well, you know your code better than I. ;)
But it has worked for us here pre-2.3 (see https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html ff., and confirmed by https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html).
And from an admin POV, it makes a lot of sense to keep the intermediate cert chain separate from the server cert.
Cheerio, hauke
I'm sure. But putting it as ssl_ca makes no sense, since it becomes confused what it is for.
We can try restoring this as ssl_cert_chain setting in future release.
Aki