multiple SSL certificates story

Aki Tuomi aki.tuomi at dovecot.fi
Wed Oct 26 12:33:15 UTC 2016



On 26.10.2016 15:30, Arkadiusz Miśkiewicz wrote:
> On Wednesday 26 of October 2016, Arkadiusz Miśkiewicz wrote:
>   
>> What can be done to make it work and how?
> Don't know internals - but could dovecot do similar job as exim. I mean keep
> big config, store things as strings just like now:
>
> local_name imap.example.com {
> ssl_cert = </etc/certs/cert1.pem
> ssl_key = </etc/certs/cert1.pem
> }
>
> but defer actual certificate loading to a moment when client connects and we
> know it's TLS SNI name?
>

It is non-trivial change, but we'll take note and see if it could be 
implemented. OpenSSL supports this via 
SSL_CTX_set_tlsext_servername_callback(), but doing it is another thing.

Aki


More information about the dovecot mailing list