SNI Config
Aki Tuomi
aki.tuomi at open-xchange.com
Wed Oct 12 12:12:04 UTC 2022
Hi!
The pipe syntax has never worked, no idea why you think it would have. Unfortunately at the moment, files are your best option. I do understand the annoyance.
Aki
> On 12/10/2022 13:54 EEST Paul Kudla (SCOM.CA Internet Services Inc.) <paul at scom.ca> wrote:
>
>
> ok thanks for your input
>
> I finally tracked down the issue
>
> It was how i was loading the certificates in the first place
>
> that being said (and i must have missed this) 2.3.18 seems to allow
> importing a cert from a program
>
> thus sni config
>
> local_name mail.paulkudla.net {
> ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes
> ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes
> ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes
> }
>
> would work instead of file pipes from individual text files.
>
>
> #local_name mail.paulkudla.net {
> # ssl_key =</usr/local/etc/dovecot/pk.key
> # ssl_cert =</usr/local/etc/dovecot/pk.crt
> # ssl_ca =</usr/local/etc/dovecot/pk.ca
> #}
>
> 2.3.19 apparently no longer supports this?
>
> aki is there a way to pipe the cert from a program file (as indicated above)
>
> I am sure you can appreciate generating files for 1000+ ssl certs can
> become a nightmare management wise
>
> either that or a pgsql select ?
>
> I have gone back to text files in the mean time ?
>
>
>
> Happy Wednesday !!!
> Thanks - paul
>
> Paul Kudla
>
>
> Scom.ca Internet Services <http://www.scom.ca>
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
>
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email paul at scom.ca
>
> On 10/11/2022 12:46 PM, Jochen Bern wrote:
> >
> > On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
> >> ok according to
> >> https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
> >> SAN is not a valid option along with CN
> >
> > ... I don't see that being said in the page you refer to?
> >
> > Anyhow, "stop giving a CN, use SANs instead" is a rather recent
> > development coming from the CA/Browser Forum - and IIUC still not a
> > *requirement*, not even for web browsers/servers. I would be surprised
> > if OpenSSL (already) were trying to enforce that policy.
> >
> > Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ?
> >
> >> $ openssl s_client -connect outlook.office365.com:993 -showcerts |
> >> openssl x509 -noout -text
> > [...]
> >> Subject: C = US, ST = Washington, L = Redmond, O = Microsoft
> >> Corporation, CN = outlook.com
> > [...]
> >> X509v3 Subject Alternative Name:
> >> DNS:*.clo.footprintdns.com, DNS:*.hotmail.com,
> >> DNS:*.internal.outlook.com, [...]
> >
> > ... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get
> > indigestion over.
> >
> >> Upoin further testing thunderbird seems to be locking onto the primary
> >> domain (*.scom.ca) of the server skipp any sni setup ??
> >
> > You might want to get a network trace of your Thunderbird talking to the
> > server to see what cert actually is presented by the server, and
> > ideally, what domain is requested by SNI (if at all). That all happens
> > before the connection starts to be encrypted, so you should be able to
> > read it (say, with Wireshark) without having to crack any crypto ...
> >
> > Kind regards,
More information about the dovecot
mailing list