Dovecot send duplicated certificates when using ssl_alt_cert

Hello,

I'm running dovecot 2.3.1 (c5a5c0c82) and trying to experiment with using both RSA and ECDSA certificates.

My configuration is as follow:

ssl_alt_cert =

ssl_cert =

Both certificates are let's encrypt certificate, so both are using the same intermediate CA.

The certificate chain are: for rsa: - my certificate - Let's Encrypt Authority X3 - DST Root CA X3

for ecdsa: - my certificate - Let's Encrypt Authority X3 - DST Root CA X3

My problem is that when connecting, dovecot includes 2 copies of Let's Encrypt Authority X3 in the certificate chain.

I think this is a bug. When building the chain, dovecot should ignore duplicated certificates and when opening the connection, it should only send intermediates related to the used certificate (either RSA or ECDSA).

(and as a side note, when using dovecot -n, dovecot hides the ssl_key (ssl_key = # hidden, use -P to show it) but not the ssl_alt_key. This is probably a bug too).

openssl s_client -showcerts -host imap.example.com -port 993 -servername imap.example.com

CONNECTED(00000005) depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate verify return:0

Certificate chain 0 s:/CN=imap.example.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIHPDCCBiSgAwIBAgISA2e3bP2o1mpdOr9kTDm/R/zuMA0GCSqGSIb3DQEBCwUA … -----END CERTIFICATE----- 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT … -----END CERTIFICATE----- 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT … -----END CERTIFICATE-----

Server certificate subject=/CN=imap.example.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

No client certificate CA names sent

SSL handshake has read 5140 bytes and written 468 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 591240C021A02B399CCB010F37AF7AD83227DC1770C606F73B3EEA3514AF07FB Session-ID-ctx: Master-Key: 7D5A5BFC1B4B8EECF4F41DC084265AF6D32B82130F381B8DDF685B589D54D9BDEBFC20F1DD80E150CD56850C0D062E9E TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 3a 72 98 05 72 af 3d ed-26 a9 e7 2b 68 6b 0a 25 :r..r.=.&..+hk.% …

Start Time: 1526482021
Timeout   : 300 (sec)
Verify return code: 0 (ok)