SNI Config

Paul Kudla (SCOM.CA Internet Services Inc.) paul at scom.ca
Wed Oct 12 10:54:10 UTC 2022 

ok thanks for your input

I finally tracked down the issue

It was how i was loading the certificates in the first place

that being said (and i must have missed this) 2.3.18 seems to allow 
importing a cert from a program

thus sni config

local_name mail.paulkudla.net {
   ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes
   ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes
   ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes
}

would work instead of file pipes from individual text files.


#local_name mail.paulkudla.net {
#  ssl_key =</usr/local/etc/dovecot/pk.key
#  ssl_cert =</usr/local/etc/dovecot/pk.crt
#  ssl_ca =</usr/local/etc/dovecot/pk.ca
#}

2.3.19 apparently no longer supports this?

aki is there a way to pipe the cert from a program file (as indicated above)

I am sure you can appreciate generating files for 1000+ ssl certs can 
become a nightmare management wise

either that or a pgsql select ?

I have gone back to text files in the mean time ?



Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul at scom.ca

On 10/11/2022 12:46 PM, Jochen Bern wrote:
> 
> On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
>> ok according to
>> https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
>> SAN is not a valid option along with CN
> 
> ... I don't see that being said in the page you refer to?
> 
> Anyhow, "stop giving a CN, use SANs instead" is a rather recent 
> development coming from the CA/Browser Forum - and IIUC still not a 
> *requirement*, not even for web browsers/servers. I would be surprised 
> if OpenSSL (already) were trying to enforce that policy.
> 
> Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ?
> 
>> $ openssl s_client -connect outlook.office365.com:993 -showcerts | 
>> openssl x509 -noout -text
> [...]
>>         Subject: C = US, ST = Washington, L = Redmond, O = Microsoft 
>> Corporation, CN = outlook.com
> [...]
>>             X509v3 Subject Alternative Name:                 
>> DNS:*.clo.footprintdns.com, DNS:*.hotmail.com, 
>> DNS:*.internal.outlook.com, [...]
> 
> ... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get 
> indigestion over.
> 
>> Upoin further testing thunderbird seems to be locking onto the primary 
>> domain (*.scom.ca) of the server skipp any sni setup ??
> 
> You might want to get a network trace of your Thunderbird talking to the 
> server to see what cert actually is presented by the server, and 
> ideally, what domain is requested by SNI (if at all). That all happens 
> before the connection starts to be encrypted, so you should be able to 
> read it (say, with Wireshark) without having to crack any crypto ...
> 
> Kind regards,

More information about the dovecot mailing list