[Dovecot] Dovecot SSL limitations
Hello Timo,
I'd like to check if my understanding of dovecot-1.2.x's SSL certificate handling is correct :
SSL does not provide the server any mechanism to choose which certificate
it must send relatively to the name the client is using. Thus, if you want to
use different certificates, you have to listen to different addresses. This is
an SSL limitation, not a dovecot nor IMAP limitation.
This is the reason why it's possible to use different certificates for IMAP
and POP3. But it seems to work only with those two :
As a matter of fact, even if you listen to different addresses, how would
you tell dovecot to send this certificate for this address and that certificate
for that address, since there is no IP dependent section (as in apache IP-based
virtual host for instance) ? It seems the only way would be to have more than
one instance of dovecot (several dovecot with different config files).
The problem is that some clients may be configured with mail.my.domain, some others with imap.my.domain, ...etc... Hence the need to have different certificates with those different names as cn.
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Pôle informatique - systèmes et réseau
On Seg, 2009-11-30 at 16:34 +0100, Thomas Hummel wrote:
Hello Timo,
I'd like to check if my understanding of dovecot-1.2.x's SSL certificate handling is correct :
SSL does not provide the server any mechanism to choose which certificate it must send relatively to the name the client is using. Thus, if you want to use different certificates, you have to listen to different addresses. This is an SSL limitation, not a dovecot nor IMAP limitation. This is the reason why it's possible to use different certificates for IMAP and POP3. But it seems to work only with those two : As a matter of fact, even if you listen to different addresses, how would you tell dovecot to send this certificate for this address and that certificate for that address, since there is no IP dependent section (as in apache IP-based virtual host for instance) ? It seems the only way would be to have more than one instance of dovecot (several dovecot with different config files).
The problem is that some clients may be configured with mail.my.domain, some others with imap.my.domain, ...etc... Hence the need to have different certificates with those different names as cn.
The client compares the CN of the certificate with the hostname it has configured and warns on a mismatch. What you can do is have multiple subjects certificate, that is a certificate again with a single CN but with multiple alt subjects that should cover all the names that server may have. The client should support those kind of certificates, of course.
-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt --------------------------------------------------------------------- * Progress (n.): The process through which Usenet has evolved from smart people in front of dumb terminals to dumb people in front of smart terminals.
On Mon, Nov 30, 2009 at 03:50:00PM +0000, Jose Celestino wrote:
The client compares the CN of the certificate with the hostname it has configured and warns on a mismatch. What you can do is have multiple subjects certificate, that is a certificate again with a single CN but with multiple alt subjects that should cover all the names that server may have. The client should support those kind of certificates, of course.
Thanks.
You're not talking about wildcard certificate, aren't you ?
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Pôle informatique - systèmes et réseau
On Seg, 2009-11-30 at 17:03 +0100, Thomas Hummel wrote:
On Mon, Nov 30, 2009 at 03:50:00PM +0000, Jose Celestino wrote:
The client compares the CN of the certificate with the hostname it has configured and warns on a mismatch. What you can do is have multiple subjects certificate, that is a certificate again with a single CN but with multiple alt subjects that should cover all the names that server may have. The client should support those kind of certificates, of course.
Thanks.
You're not talking about wildcard certificate, aren't you ?
No, this are called SAN certificates.
-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt --------------------------------------------------------------------- * Progress (n.): The process through which Usenet has evolved from smart people in front of dumb terminals to dumb people in front of smart terminals.
Thomas Hummel wrote:
Hello Timo,
I'd like to check if my understanding of dovecot-1.2.x's SSL certificate handling is correct :
SSL does not provide the server any mechanism to choose which certificate it must send relatively to the name the client is using. Thus, if you want to use different certificates, you have to listen to different addresses. This is an SSL limitation, not a dovecot nor IMAP limitation. This is the reason why it's possible to use different certificates for IMAP and POP3. But it seems to work only with those two : As a matter of fact, even if you listen to different addresses, how would you tell dovecot to send this certificate for this address and that certificate for that address, since there is no IP dependent section (as in apache IP-based virtual host for instance) ? It seems the only way would be to have more than one instance of dovecot (several dovecot with different config files).
The problem is that some clients may be configured with mail.my.domain, some others with imap.my.domain, ...etc... Hence the need to have different certificates with those different names as cn.
Possibly off-topic from what the OP wants, but couldn't TLS Server Name Indication (SNI) be used to overcome the single server certificate limitation?
AllenJB
participants (4)
-
AllenJB
-
Jose Celestino
-
Thomas Hummel
-
Timo Sirainen