STARTTLS issue with sieve

Peter peter at pajamian.dhs.org
Mon Jul 10 05:56:48 EEST 2017


On 10/07/17 04:48, Heiko Schlittermann wrote:
> Alexander Dalloz <ad+lists at uni-x.org> (So 09 Jul 2017 13:14:56 CEST):
>>> It is wrong to send the root CA along with the intermediate and server
>> certificates. The root CA cert must be in the CA trust bundle of the client.
> 
> I wouldn't say it is wrong. But it should be useless, as the client
> wont trust the root CA it received. The client should trust only its
> copy of the root CA.

I've seen clients that invalidate if you send the root along with the
rest of the chain.  I've seen ssllabs lower a server's grade because it
had a chain like this:

Root A -> Root B -> intermediate -> server cert ...

... Where both Root A and Root B are in the browser's trusted bundle,
but Root A signed Root B with an SHA1 hash and root B signed the
intermediate with and SHA256 hash, so if you returned Root B and the
intermediate as chain certs you got a lower grade because of the SHA1
sig, but if you just passed the intermediate it was fine.

In short, it may work some of the time or most of the time to pass the
root cert, but there will be edge cases where it will fail.  It's safest
to not pass the root cert.


Peter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20170710/c62a70c5/attachment-0001.sig>


More information about the dovecot mailing list