On 07/08/2019 14:28 telsch <telsch@gmx.de> wrote:
with v2.2.34 i can use:
ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem
after upgrade to v2.3.X it doesn't work like before.
it's working if i manual cat ca-bundle.pem and ssl-imap.pem into one file and using only:
ssl_cert = </etc/ssl-imap.pem
i thought ssl_ca is where to put the intermediate cert?
(Sorry for duplicate mail, keyboard acted up...)
No, that has always been a mistake and it was fixed in 2.3. Our SSL pages in documentation & wiki have always recommended concatenating the intermediates with the cert.
Aki
On Wed, 7 Aug 2019 20:24:13 +0300 (EEST), Aki Tuomi via dovecot wrote:
i thought ssl_ca is where to put the intermediate cert?
Well, it surely worked that way until v2.3...
(Sorry for duplicate mail, keyboard acted up...)
No, that has always been a mistake and it was fixed in 2.3. Our SSL pages in documentation & wiki have always recommended concatenating the intermediates with the cert.
Aki, after the issue came up last time <http://dovecot.2317879.n4.nabble.com/dovecot-2-2-openssl-1-0-vs-dovecot-2-3-openssl-1-1-1-ssl-regression-tt65322.html#none>, you appeared to have changed your mind? What happened?
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On 8.8.2019 21.31, Hauke Fath via dovecot wrote:
On Wed, 7 Aug 2019 20:24:13 +0300 (EEST), Aki Tuomi via dovecot wrote:
i thought ssl_ca is where to put the intermediate cert? Well, it surely worked that way until v2.3...
(Sorry for duplicate mail, keyboard acted up...)
No, that has always been a mistake and it was fixed in 2.3. Our SSL pages in documentation & wiki have always recommended concatenating the intermediates with the cert. Aki, after the issue came up last time <http://dovecot.2317879.n4.nabble.com/dovecot-2-2-openssl-1-0-vs-dovecot-2-3-openssl-1-1-1-ssl-regression-tt65322.html#none>, you appeared to have changed your mind? What happened?
Cheerio, Hauke
I don't see any change of mind here.
As you can see in the quote you mentioned,
Including ssl_ca with cert is not actually a good idea, but perhaps this should indeed be mentioned in the upgrading page. Not a regression in any case.
Aki
participants (3)
-
Aki Tuomi
-
Hauke Fath
-
telsch