SSL error after upgrading to 2.31
Aki Tuomi
aki.tuomi at dovecot.fi
Mon May 28 13:52:01 EEST 2018
On 28.05.2018 13:05, Hauke Fath wrote:
> On 05/28/18 11:08, Aki Tuomi wrote:
>>
>>
>> On 28.05.2018 12:06, Hauke Fath wrote:
>>> On 05/21/18 17:55, Aki Tuomi wrote:
>>>> ssl_ca is used only for validating client certificates.
>>>
>>> But it was used (though not documented, IIRC) for validating server
>>> certs, too. Since intermediate CA certs are usually valid a lot longer
>>> than the server certs, having to concat the certs is awkward, at best.
>>
>> As far as I know, it has never been working as replacement for adding
>> the chain to cert file.
>
> Well, you know your code better than I. ;)
>
> But it has worked for us here pre-2.3 (see
> <https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html>
> ff., and confirmed by
> <https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html>).
>
> And from an admin POV, it makes a lot of sense to keep the
> intermediate cert chain separate from the server cert.
>
> Cheerio,
> hauke
>
I'm sure. But putting it as ssl_ca makes no sense, since it becomes
confused what it is for.
We can try restoring this as ssl_cert_chain setting in future release.
Aki
More information about the dovecot
mailing list