ios12 clients not getting correct certificate, sni supported not? or config error?

Marc Roos M.Roos at f1-outsourcing.eu
Wed Nov 20 15:13:02 EET 2019



I am having an ios12.4.1 client whine about access problems. He is 
getting the 'default' self signed ceritificate instead of the hostname 
alias. openssl s_client -servername mail.xxxxx.com -connect 
x.x.x.x:pop3s gives a 'Verify return code: 0 (ok)'

I can't imagine this sni support is not available in recent versions. 
Should I remove this default certificate in the main section of 
10-ssl.conf?


These lines I have added to 10-ssl.conf

ssl_cert = </etc/pki/tls/certs/mail-wildcard.crt
ssl_key = </etc/pki/tls/private/mail-wildcard.key

local 192.168.10.43 {
  ssl_key  = </etc/pki/tls/private/xxxxxxx.local.key
  ssl_cert = </etc/pki/tls/certs/xxxxxxx.local.crt
}
local_name mail.xxxxx.com {
  ssl_key  = </etc/pki/tls/private/mail.xxxxx.com.key
  ssl_cert = </etc/pki/tls/certs/mail.xxxxx.com.crt
}
local_name imap.xxxxxxx.net {
  ssl_key  = </etc/pki/tls/private/imap.xxxxxxx.net.key
  ssl_cert = </etc/pki/tls/certs/imap.xxxxxxx.net.crt
}


[@ conf.d]# doveconf | egrep 'ssl_cert|ssl_key'
ssl_cert = </etc/pki/tls/certs/mail-wildcard.crt
ssl_cert_username_field = commonName
ssl_key =  # hidden, use -P to show it
ssl_key_password =
  ssl_cert = </etc/pki/tls/certs/xxxxxxx.local.crt
  ssl_key =  # hidden, use -P to show it
  ssl_cert = </etc/pki/tls/certs/mail.xxxxx.com.crt
  ssl_key =  # hidden, use -P to show it
  ssl_cert = </etc/pki/tls/certs/imap.xxxxxxx.net.crt
  ssl_key =  # hidden, use -P to show it



More information about the dovecot mailing list