Dovecot dsync tcps sends incomplete certificate chain

Juri juri+dovecot at dividebyzero.it
Fri Jan 6 18:41:21 UTC 2017


In data venerdì 6 gennaio 2017 01:34:48 CET, John Fawcett ha scritto:
> On 01/05/2017 08:55 PM, Juri wrote:
> > 5 Gennaio 2017 01:21, "John Fawcett" <john at voipsupport.it> wrote:
> >> On 01/04/2017 08:40 PM, Juri wrote:

> Hi Juri
> 
> if you find validation failing when you have only the root certificate
> in the CA file but a chained server+intermediate in the server
> certificate file, then your analysis makes sense and it seems that the
> intermediate certificate is not being sent by the server. That ties in
> with the different error messages between imap and replication.
> 
> It might be interesting to do a test with -showcerts parameter.
> 
> |openssl s_client -showcerts -connect hostname:|7557
> |
> |openssl s_client -showcerts -connect hostname:993 The bundled version of
> 
> Dovecot on Centos 7 is 2.2.10 but I am not using that version. I am on
> 2.2.26, where I don't have the problem you see and both services send
> the server and intermediate certificate. I was unable to see any
> specific patches to the ssl or doveadm code for this issue, though it
> has undergone a few changes from 2.2.13. John |

I tried what you suggested, and the result is more or less the same as what I 
wrote in the first message (only the last cert sent on port 7557, and both - 
the last and the intermediate one - on port 993).

I tried to recompile the same version (2.2.13) on my Arch Linux home PC, and 
using the same settings and  same certs as on the server, all the certificates 
are correctly being sent on both ports, so I suppose the bug lies in the 
debian patches - I'll try to report to them.

In the meantime, thank you all for the help!

Juri


More information about the dovecot mailing list