SNI Dovecot

Martin Johannes Dauser mdauser at cs.sbg.ac.at
Fri Aug 31 13:10:57 EEST 2018


FYI 
dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't
send SNI. As you are using version 2.2.27 you might encounter the same
behaviour.
If the client won't send SNI, my server randomly answers with any cert
instead of the default cert,  --Perhaps dovecot just utilises the last
used cert? One speciality of my certs is, that both share the same
Common Name (CN) but differ in Subject Alternative Names (SAN).
Once your config works, you can check by initialising several
connections (I tried 30 times) without SNI using openssl. First command
is without SNI, second is with SNI.
$ openssl s_client -showcerts -connect IP-address:993
$ openssl s_client -showcerts -connect IP-address:993 -servername
server.domain 
This is my bugreport on this list.https://dovecot.org/pipermail/dovecot
/2018-July/112368.html

Best regardsMartin Johannes Dauser

On Wed, 2018-08-29 at 14:41 +0000, Nicolas wrote:
>  Hi all,
> 
> I'm testing the SNI configuration from dovecot's wiki page, to have
> multiple domains.
> 
> I'm using letsencrypt certificates.
>   On the 10-ssl.conf, when I only use one domain, like this, it works
> :
> 
> ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem
> ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem
> ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem
> 
> I got a warning of course when using my second domain, mydomain2.fr.
> 
> If I do the config :
> 
> local_name mail.mydomain.fr {
> ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem
> ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem
> ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem
> }
> 
> local_name mail.mydomain2.fr {
> ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem
> ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem
> ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem
> }
> 
> I got this on dovecot's start :
> 
> dovecot[930]: master: Error: service(imap-login): command startup
> failed, throttling for 8 secs
> dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key:
> error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting:
> ANY PRIVATE KEY
> 
> It's working without local_name, so why it can be a certificate
> issue?
> 
> Any idea?
> 
> I'm using dovecot 2.2.27-3+deb9u2 from debian.
> 
> 
> 
> Thanks,
> Nicola 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180831/614c946f/attachment.html>


More information about the dovecot mailing list