SSL error after upgrading to 2.31

Hauke Fath hf at spg.tu-darmstadt.de
Mon May 28 13:05:30 EEST 2018


On 05/28/18 11:08, Aki Tuomi wrote:
> 
> 
> On 28.05.2018 12:06, Hauke Fath wrote:
>> On 05/21/18 17:55, Aki Tuomi wrote:
>>> ssl_ca is used only for validating client certificates.
>>
>> But it was used (though not documented, IIRC) for validating server
>> certs, too. Since intermediate CA certs are usually valid a lot longer
>> than the server certs, having to concat the certs is awkward, at best.
>
> As far as I know, it has never been working as replacement for adding
> the chain to cert file.

Well, you know your code better than I.  ;)

But it has worked for us here pre-2.3 (see 
<https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html> 
ff., and confirmed by 
<https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html>).

And from an admin POV, it makes a lot of sense to keep the intermediate 
cert chain separate from the server cert.

Cheerio,
hauke

-- 
      The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email	        Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
      Respect for open standards              Ruf +49-6151-16-21344


More information about the dovecot mailing list