Extra intermediate certificate when using ssl_alt_cert

[John Fawcett]

On 10/03/18 14:06, Aki Tuomi wrote:
>
>> On 10 March 2018 at 14:49 John Fawcett < john at voipsupport.it
>> <mailto:john at voipsupport.it>> wrote:
>>
>>
>> On 08/03/18 18:43, Peter Linss wrote:
>>> I just added an ECDSA certificate to my mail server using
>>> ssl_alt_cert (the RSA certificate is specified by ssl_cert), both
>>> certificate files contain the certificate and a single intermediate
>>> (which currently happens to be the same intermediate from Let’s
>>> Encrypt).
>>> When connecting to the server using either RSA or ECDSA ciphers, the
>>> server sends the proper certificate, but also sends two
>>> intermediates. Apparently it’s reading the intermediate from both
>>> files and using both for all situations, rather than using only the
>>> intermediate in the RSA file for RSA certificates, and the
>>> intermediate in the ECDSA file for ECDSA certificates. I expect this
>>> will be a bigger problem when Let’s Encrypt starts using ECDSA
>>> intermediates.
>>> Removing the intermediate from the ssl_alt_cert file solves the
>>> problem (but then doesn’t allow an ECDSA intermediate to be specified).
>> I believe that supplying multiple unrelated intermediate certificates is
>> an incorrect behaviour, though I don't know if this is a problem that
>> can be solved in Dovecot or has to be addressed in openssl itself.
>>
>> Do you get any issue in certificate validation in the client?
>>
>> John
>
> You sure your cert file does not contain unrelated certificates?
> ---
> Aki Tuomi

Aki

I'll leave Peter to respond about his cert files, but in the test I did,
each the ssl_cert and ssl_alt_cert each contained the server cert and
the next cert in the chain. However, both intermediates were supplied
whether using RSA or ECDSA.

John

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180310/03cd2003/attachment.html>