dovecot 2.2/openssl 1.0 vs dovecot 2.3/openssl 1.1.1 ssl regression
Hauke Fath
hf at spg.tu-darmstadt.de
Thu Nov 15 17:53:59 EET 2018
On 11/13/18 19:58, Aki Tuomi wrote:
> On 13 November 2018 at 20:53 Arkadiusz Miśkiewicz wrote:
>> I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to
>> dovecot 2.3.3 run with openssl 1.1.1.
>>
>> Currently I have both variants running with identical configs and certs
>> (the only differences are due to config syntax changes in dovecot 2.3),
>> so for example on both I have:
>>
>> ssl_ca = </etc/openssl/certs/wildcard_ca.pem
>> (this file contains single intermediate certificate of my CA)
>>
>> ssl_cert = </etc/openssl/certs/wildcard_crt.pem
>> (this contains single cerificate for my *.example.com domain)
[dovecot 2.3+ does not provide intermediate CA cert to clients any more]
>> 2.3.x announcements and upgrade wiki mention no such behaviour change,
>> so I assume it is a regression.
>>
>> Now doing
>> cat wildcard_ca.pem >> wildcard_crt.pem
>> solves the problem and dovecot starts providing both certs to clients
>> but if that's the proper way of solving this issue then what's the point
>> of having ssl_ca config setting?
>
> Including ssl_ca with cert is not actually a good idea, but perhaps this should
> indeed be mentioned in the upgrading page. Not a regression in any case.
Aki,
when I brought up this very issue in
<https://dovecot.org/list/dovecot/2018-January/110638.html> ff., you
told me that "ssl_ca", despite the name, was for client certificates
only, and that I was supposed to append the CA certificate(s) to the
server certificate file.
I am glad to hear you consider this a bad idea now. ;)
Cheerio,
Hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
More information about the dovecot
mailing list