Dovecot dsync tcps sends incomplete certificate chain
John Fawcett
john at voipsupport.it
Fri Jan 6 00:34:48 UTC 2017
On 01/05/2017 08:55 PM, Juri wrote:
> 5 Gennaio 2017 01:21, "John Fawcett" <john at voipsupport.it> wrote:
>
>> On 01/04/2017 08:40 PM, Juri wrote:
>>
>>
> Thank you.
>
> In fact I tried both settings, that is
> |ssl_client_ca_dir = /etc/ssl/certs
> |ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem
> but with no luck.
> Actually, I noticed that with the two settings I get a slightly different error message (it took me
> quite a bit to notice it!), that is:
> |Error: sync: Disconnected from remote: Received invalid SSL certificate: unable to get issuer
> certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> |Error: sync: Disconnected from remote: Received invalid SSL certificate: unable to get *local*
> issuer certificate: /CN=mail.dividebyzero.it
> (emphasis mine).
> I suppose that in the first case - as the server is sending only the last certificate on the chain
> - the client is unable to find the intermediate, while in the second case it won't find the root
> one.
>
> I then tried, as you suggested me, to concatenate both the intermediate and the root certificate in
> a single file, and it finally worked.
> In any case the original point still stands: in the sync mode - at least on my version (2.2.13) -
> the server sends only the last cert, so the client has to have the rest of the chain, instead of
> needing to have only the root certificate.
>
> May I ask you which is the version of Dovecot bundled with CentOS, to know if this may be a bug
> fixed in a newer version?
>
> Juri
Hi Juri
if you find validation failing when you have only the root certificate
in the CA file but a chained server+intermediate in the server
certificate file, then your analysis makes sense and it seems that the
intermediate certificate is not being sent by the server. That ties in
with the different error messages between imap and replication.
It might be interesting to do a test with -showcerts parameter.
|openssl s_client -showcerts -connect hostname:|7557
|openssl s_client -showcerts -connect hostname:993 The bundled version of
Dovecot on Centos 7 is 2.2.10 but I am not using that version. I am on
2.2.26, where I don't have the problem you see and both services send
the server and intermediate certificate. I was unable to see any
specific patches to the ssl or doveadm code for this issue, though it
has undergone a few changes from 2.2.13. John |
More information about the dovecot
mailing list