dovecot 2.2/openssl 1.0 vs dovecot 2.3/openssl 1.1.1 ssl regression
Hi.
I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to dovecot 2.3.3 run with openssl 1.1.1.
Currently I have both variants running with identical configs and certs (the only differences are due to config syntax changes in dovecot 2.3), so for example on both I have:
ssl_ca =
ssl_cert =
ssl_key = # hidden, use -P to show it (and one key)
No alt certs in use.
Chain is:
- CA trusted by clients (this certificate isn't provided by my dovecot, it's not needed)
- wildcard_ca.pem - intermediate CA
- wildcard_crt.pem - wildcard certificate for my *.example.com domain
dovecot 2.2.36 behaviour is to provide wildcard_ca.pem and wildcard_crt.pem to the client - that behaviour is OK. Client has full trust chain.
dovecot 2.3.3 provides only wildcard_crt.pem certificate to the client which is a big problem because missing wildcard_ca.pem (intermediate certificate) breaks chain and client is not able to verify trust chain.
Testing is done with simple:
openssl s_client -connect my.example.com:143 -starttls imap -servername my.example.com -showcerts
2.3.x announcements and upgrade wiki mention no such behaviour change, so I assume it is a regression.
Now doing cat wildcard_ca.pem >> wildcard_crt.pem solves the problem and dovecot starts providing both certs to clients but if that's the proper way of solving this issue then what's the point of having ssl_ca config setting?
Ideas?
-- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
On 11/13/18 19:58, Aki Tuomi wrote:
On 13 November 2018 at 20:53 Arkadiusz Miśkiewicz wrote:
I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to dovecot 2.3.3 run with openssl 1.1.1.
Currently I have both variants running with identical configs and certs (the only differences are due to config syntax changes in dovecot 2.3), so for example on both I have:
ssl_ca =
ssl_cert =
[dovecot 2.3+ does not provide intermediate CA cert to clients any more]
2.3.x announcements and upgrade wiki mention no such behaviour change, so I assume it is a regression.
Now doing cat wildcard_ca.pem >> wildcard_crt.pem solves the problem and dovecot starts providing both certs to clients but if that's the proper way of solving this issue then what's the point of having ssl_ca config setting?
Including ssl_ca with cert is not actually a good idea, but perhaps this should indeed be mentioned in the upgrading page. Not a regression in any case.
Aki,
when I brought up this very issue in https://dovecot.org/list/dovecot/2018-January/110638.html ff., you told me that "ssl_ca", despite the name, was for client certificates only, and that I was supposed to append the CA certificate(s) to the server certificate file.
I am glad to hear you consider this a bad idea now. ;)
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On 15 November 2018 at 17:53 Hauke Fath hf@spg.tu-darmstadt.de wrote:
On 11/13/18 19:58, Aki Tuomi wrote:
On 13 November 2018 at 20:53 Arkadiusz Miśkiewicz wrote:
I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to dovecot 2.3.3 run with openssl 1.1.1.
Currently I have both variants running with identical configs and certs (the only differences are due to config syntax changes in dovecot 2.3), so for example on both I have:
ssl_ca =
ssl_cert =
[dovecot 2.3+ does not provide intermediate CA cert to clients any more]
2.3.x announcements and upgrade wiki mention no such behaviour change, so I assume it is a regression.
Now doing cat wildcard_ca.pem >> wildcard_crt.pem solves the problem and dovecot starts providing both certs to clients but if that's the proper way of solving this issue then what's the point of having ssl_ca config setting?
Including ssl_ca with cert is not actually a good idea, but perhaps this should indeed be mentioned in the upgrading page. Not a regression in any case.
Aki,
when I brought up this very issue in https://dovecot.org/list/dovecot/2018-January/110638.html ff., you told me that "ssl_ca", despite the name, was for client certificates only, and that I was supposed to append the CA certificate(s) to the server certificate file.
I am glad to hear you consider this a bad idea now. ;)
Eventually realized it too, and now it's been fixed. =)
Aki
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
participants (3)
-
Aki Tuomi
-
Arkadiusz Miśkiewicz
-
Hauke Fath