dovecot 2.2/openssl 1.0 vs dovecot 2.3/openssl 1.1.1 ssl regression

Aki Tuomi aki.tuomi at open-xchange.com
Thu Nov 15 18:10:43 EET 2018 

> On 15 November 2018 at 17:53 Hauke Fath <hf at spg.tu-darmstadt.de> wrote:
> 
> 
> On 11/13/18 19:58, Aki Tuomi wrote:
> > On 13 November 2018 at 20:53 Arkadiusz Miśkiewicz wrote:
> >> I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to
> >> dovecot 2.3.3 run with openssl 1.1.1.
> >>
> >> Currently I have both variants running with identical configs and certs
> >> (the only differences are due to config syntax changes in dovecot 2.3),
> >> so for example on both I have:
> >>
> >> ssl_ca = </etc/openssl/certs/wildcard_ca.pem
> >> (this file contains single intermediate certificate of my CA)
> >>
> >> ssl_cert = </etc/openssl/certs/wildcard_crt.pem
> >> (this contains single cerificate for my *.example.com domain)
> 
> [dovecot 2.3+ does not provide intermediate CA cert to clients any more]
> 
> >> 2.3.x announcements and upgrade wiki mention no such behaviour change,
> >> so I assume it is a regression.
> >>
> >> Now doing
> >> cat wildcard_ca.pem >> wildcard_crt.pem
> >> solves the problem and dovecot starts providing both certs to clients
> >> but if that's the proper way of solving this issue then what's the point
> >> of having ssl_ca config setting?
>  >
> > Including ssl_ca with cert is not actually a good idea, but perhaps this should
> > indeed be mentioned in the upgrading page. Not a regression in any case.
> 
> Aki,
> 
> when I brought up this very issue in 
> <https://dovecot.org/list/dovecot/2018-January/110638.html> ff., you 
> told me that "ssl_ca", despite the name, was for client certificates 
> only, and that I was supposed to append the CA certificate(s) to the 
> server certificate file.
> 
> I am glad to hear you consider this a bad idea now.  ;)
> 

Eventually realized it too, and now it's been fixed. =)

Aki

> Cheerio,
> Hauke
> 
> -- 
>       The ASCII Ribbon Campaign                    Hauke Fath
> ()     No HTML/RTF in email	        Institut für Nachrichtentechnik
> /\     No Word docs in email                     TU Darmstadt
>       Respect for open standards              Ruf +49-6151-16-21344

More information about the dovecot mailing list