SNI Config

Paul Kudla (SCOM.CA Internet Services Inc.) paul at scom.ca
Wed Oct 12 12:13:45 UTC 2022


much appreciated for the response

maybe a feature down the road??





Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul at scom.ca

On 10/12/2022 8:12 AM, Aki Tuomi wrote:
> 
> Hi!
> 
> The pipe syntax has never worked, no idea why you think it would have. Unfortunately at the moment, files are your best option. I do understand the annoyance.
> 
> Aki
> 
>> On 12/10/2022 13:54 EEST Paul Kudla (SCOM.CA Internet Services Inc.) <paul at scom.ca> wrote:
>>
>>   
>> ok thanks for your input
>>
>> I finally tracked down the issue
>>
>> It was how i was loading the certificates in the first place
>>
>> that being said (and i must have missed this) 2.3.18 seems to allow
>> importing a cert from a program
>>
>> thus sni config
>>
>> local_name mail.paulkudla.net {
>>     ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes
>>     ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes
>>     ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes
>> }
>>
>> would work instead of file pipes from individual text files.
>>
>>
>> #local_name mail.paulkudla.net {
>> #  ssl_key =</usr/local/etc/dovecot/pk.key
>> #  ssl_cert =</usr/local/etc/dovecot/pk.crt
>> #  ssl_ca =</usr/local/etc/dovecot/pk.ca
>> #}
>>
>> 2.3.19 apparently no longer supports this?
>>
>> aki is there a way to pipe the cert from a program file (as indicated above)
>>
>> I am sure you can appreciate generating files for 1000+ ssl certs can
>> become a nightmare management wise
>>
>> either that or a pgsql select ?
>>
>> I have gone back to text files in the mean time ?
>>
>>
>>
>> Happy Wednesday !!!
>> Thanks - paul
>>
>> Paul Kudla
>>
>>
>> Scom.ca Internet Services <http://www.scom.ca>
>> 004-1009 Byron Street South
>> Whitby, Ontario - Canada
>> L1N 4S3
>>
>> Toronto 416.642.7266
>> Main 1.866.411.7266
>> Fax 1.888.892.7266
>> Email paul at scom.ca
>>
>> On 10/11/2022 12:46 PM, Jochen Bern wrote:
>>>
>>> On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
>>>> ok according to
>>>> https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
>>>> SAN is not a valid option along with CN
>>>
>>> ... I don't see that being said in the page you refer to?
>>>
>>> Anyhow, "stop giving a CN, use SANs instead" is a rather recent
>>> development coming from the CA/Browser Forum - and IIUC still not a
>>> *requirement*, not even for web browsers/servers. I would be surprised
>>> if OpenSSL (already) were trying to enforce that policy.
>>>
>>> Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ?
>>>
>>>> $ openssl s_client -connect outlook.office365.com:993 -showcerts |
>>>> openssl x509 -noout -text
>>> [...]
>>>>          Subject: C = US, ST = Washington, L = Redmond, O = Microsoft
>>>> Corporation, CN = outlook.com
>>> [...]
>>>>              X509v3 Subject Alternative Name:
>>>> DNS:*.clo.footprintdns.com, DNS:*.hotmail.com,
>>>> DNS:*.internal.outlook.com, [...]
>>>
>>> ... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get
>>> indigestion over.
>>>
>>>> Upoin further testing thunderbird seems to be locking onto the primary
>>>> domain (*.scom.ca) of the server skipp any sni setup ??
>>>
>>> You might want to get a network trace of your Thunderbird talking to the
>>> server to see what cert actually is presented by the server, and
>>> ideally, what domain is requested by SNI (if at all). That all happens
>>> before the connection starts to be encrypted, so you should be able to
>>> read it (say, with Wireshark) without having to crack any crypto ...
>>>
>>> Kind regards,
> 


More information about the dovecot mailing list