Dovecot 2.3.0 TLS

Olaf Hopp Olaf.Hopp at kit.edu
Mon Jan 22 17:11:14 EET 2018 

On 01/11/2018 12:22 PM, Aki Tuomi wrote:
> 
> 
> On 11.01.2018 13:20, Hauke Fath wrote:
>> On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
>>> Was the certificate path bundled in the server certificate?
>> No, as a separate file, provided from the local (intermediate) CA:
>>
>> ssl_cert = </etc/openssl/certs/server.cert
>> ssl_key = </etc/openssl/private/server.key
>> ssl_ca = </etc/openssl/certs/ca-cert-chain.pem
>>
>> Worked fine with 2.2.x, 2.3 gives
>>
>> % openssl s_client -connect XXX:993
>> CONNECTED(00000006)
>> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
>> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
>> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>>   0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
>> Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
>>     i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
>> Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> [...]
>> %
>>
> 
> Seems we might've made a unexpected change here when we revamped the ssl
> code. Can you try if it works if you concatenate the cert and cert-chain
> to single file? We'll start looking if this is misunderstanding or bug.
> 
> Aki
> 

Hello,
let me confirm this issue.
I have a setup similar to Hauke Fath. Doing the workaround suggested by Aki

      cat /etc/openssl/certs/ca-cert-chain.pem >> /etc/openssl/certs/server.cert

and removing "ssl_ca" from the config file presents the correct CA-Chain.
Whereas the original config presented my three time my own server cert as chain.


Since server certs tend to change more frequent than the CA chains
I really want to keep them in separate files.

So this is really a show stopper for me.

CU, Olaf




-- 
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp at kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5304 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180122/e1336ae8/attachment.p7s>

More information about the dovecot mailing list