<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>Well. At least I know now the cn overlaps. That should not be a problem but is at least something to pursue. </div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">---<div>Aki Tuomi</div><div>Dovecot oy</div></div><div><br></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Original message --------</div><div>From: Martin Johannes Dauser <mdauser@cs.sbg.ac.at> </div><div>Date: 24/07/2018 18:03 (GMT+02:00) </div><div>To: dovecot@dovecot.org </div><div>Subject: Re: dovecot sometimes sends non-default SSL cert if IMAP client
won't send SNI </div><div><br></div></div>Sure, and thanks for trying to help!<br><br>These are the two correct answers when SNI is included. The<br>certificates are fully chained. Both certificates carry the same<br>subject mail.cs.sbg.ac.at but differ in Subject Alternative Name (SAN).<br><br>X509v3 Subject Alternative Name: <br> DNS:mail.cs.sbg.ac.at, DNS:smtp.cs.sbg.ac.at, DNS:imap.cs.sbg.ac.at,<br>DNS:pop.cs.sbg.ac.at<br><br>X509v3 Subject Alternative Name: <br> DNS:mail.cs.sbg.ac.at, DNS:mail.cosy.sbg.ac.at,<br>DNS:smtp.cosy.sbg.ac.at, DNS:imap.cosy.sbg.ac.at,<br>DNS:pop.cosy.sbg.ac.at<br><br>I thought of attaching a file with 13 outputs of command<br>$ openssl s_client -showcerts -connect 141.201.4.5:993<br>but this would certainly exceed the limit of 40kb. Anyway, except for<br>the SSL handshake the outputs exactly meet the two examples a few lines<br>below.<br><br>Statistics: Only connections 10,11,13 showed the default certificate.<br>So running only a few connections might end up with 100% false certs --<br>or the other way round. <br><br>OpenSSL itself is always happy, as both certificates fit to the<br>(r)DNS records of mail.cs.sbg.ac.at/141.201.4.5.<br><br>Would it help you to run dovecot in debug mode?<br><br><br>###################################################################<br>$ openssl s_client -showcerts -connect 141.201.4.5:993 -servername<br>imap.cs.sbg.ac.at<br><br><br>CONNECTED(00000003)<br>---<br>Certificate chain<br> 0 s:/C=AT/ST=Salzburg/L=Salzburg/O=University of<br>Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at<br> i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3<br>-----BEGIN CERTIFICATE-----<br>MIIGjDCCBXSgAwIBAgIQApnSP3xZbyr6dGTMvuxaSDANBgkqhkiG9w0BAQ0FADBk<br>MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ<br>QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg<br>Q0EgMzAeFw0xNzAxMjQwMDAwMDBaFw0yMDAxMjgxMjAwMDBaMIGZMQswCQYDVQQG<br>EwJBVDERMA8GA1UECBMIU2FsemJ1cmcxETAPBgNVBAcTCFNhbHpidXJnMR8wHQYD<br>VQQKExZVbml2ZXJzaXR5IG9mIFNhbHpidXJnMScwJQYDVQQLEx5EZXBhcnRtZW50<br>IG9mIENvbXB1dGVyIFNjaWVuY2UxGjAYBgNVBAMTEW1haWwuY3Muc2JnLmFjLmF0<br>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAus33Jb+HE64oJvBEwpeh<br>7cwyMAknhE5k/49eUG7/E0j2ffEo1APzxYooZ1hlHcf7meH7h1KYD3lSXw5RX0Mi<br>KtuUHSUIqYE1U3+pyussB11r18ucHk8MoFQqPnJDeuSPaHozmdQtJJHRVDabddHz<br>5l4RVEUduUjzl7vnfFrBhbHV/LpYcLMsNgdlg5I0TXU99Y8paMeF32cWiR2dCeyN<br>t2AajjMpHYRDaJ9DGed8nWOeqK0YRQuaEGF68VBVdygDcOQ0eBflwYEjJChJHhN4<br>UsQSmwoXYj5ZRvyhcAxxPDYveNhM4oVox67Nvw1AgHz/spaWgJVMKrTU4hFDYcnO<br>0F6KkumLke0t4IvoLEU7ScAm6d3ttQ5ZBbSIX811kWHC/ddu12AhRiq3y5fN2o3n<br>6pbRrqljyg4Mu0Tj9UEuwC8bJnCJreo32HQwo82vD1xU8jPUci4UoD21PfkjFssm<br>qbtwwWs1KAIvX52U79u6CC7hvsPNtCiMK0K6/9jg8OyKMraBWvIUV6YxgnuJZ4Mi<br>so/OD6uqdpqCYuq5LLZVAVcBu/vGTzfcckkz71nN2eZSO870rnxyHeTWmepQv4nc<br>gxN49JeReO4zZMio6eC5N9D+SYc5Ae5mS8qyHe/gur6VmbmbWk/vRt/m75lcGLgR<br>A4FRqRvu+GIWNh0uCP9SlkUCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGf9iCAU<br>J5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBR6nRddyu+D1h42fba+bgkBi6OipzBU<br>BgNVHREETTBLghFtYWlsLmNzLnNiZy5hYy5hdIIRc210cC5jcy5zYmcuYWMuYXSC<br>EWltYXAuY3Muc2JnLmFjLmF0ghBwb3AuY3Muc2JnLmFjLmF0MA4GA1UdDwEB/wQE<br>AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAv<br>oC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmww<br>L6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3Js<br>MEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v<br>d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMG4GCCsGAQUFBwEBBGIwYDAk<br>BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMDgGCCsGAQUFBzAC<br>hixodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNydDAM<br>BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBDQUAA4IBAQA6Xbkobv3hQAr532wf0NsZ<br>kYErQebiMLCrKDAhtLc7Z/bO/srUgOs0x9uoIU5ErjLnPcWrPK0eFQevjZ+6CUry<br>NgAcf6f1z9g1IejuapXb6F41YAteJzo+QkvAtQFkOaq9AADXNo6iIOIDyE1M8hWW<br>W0gcwx6h4+UUSLac0LN/i+Q2LcHa6fg/kH59Yt2oIzkJrVRSHn11R8iUHiLgW3X2<br>XL9BgCZHqI8t3OaJpXLHmvA0pKDIvjFK9+CDcXZWQbZyLlMzGxVyrZfK+rBjL05h<br>QQ3CTy9JJ3/1//AD1mSgog3qSejMQ7ZK01ZZv4lDoEU8ADGFA6VKlV/CiaYz5Ztk<br>-----END CERTIFICATE-----<br> 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3<br> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID<br>Root CA<br>-----BEGIN CERTIFICATE-----<br><br>MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl<br>MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3<br>d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv<br>b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG<br>EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt<br>MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw<br>DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio<br>Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS<br>lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10<br>VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct<br>85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8<br>mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA<br>AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG<br>CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu<br>Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln<br>aUNlcnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRw<br>Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js<br>MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk<br>SURSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo<br>dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBRn/YggFCeYxwnS<br>JRm76VERY3VQYjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq<br>hkiG9w0BAQsFAAOCAQEAqSg1esR71tonHqyYzyc2TxEydHTmQN0dzfJodzWvs4xd<br>xgS/FfQjZ4u5b5cE60adws3J0aSugS7JurHogNAcyTnBVnZZbJx946nw09E02DxJ<br>WYsamM6/xvLYMDX/6W9doK867mZTrqqMaci+mqege9iCSzMTyAfzd9fzZM2eY/lC<br>J1OuEDOJcjcV8b73HjWizsMt8tey5gvHacDlH198aZt+ziYaM0TDuncFO7pdP0GJ<br>+hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5<br>hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng==<br>-----END CERTIFICATE-----<br> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID<br>Root CA<br> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID<br>Root CA<br>-----BEGIN CERTIFICATE-----<br>MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl<br>MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3<br>d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv<br>b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG<br>EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl<br>cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi<br>MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c<br>JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP<br>mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+<br>wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4<br>VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/<br>AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB<br>AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW<br>BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun<br>pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC<br>dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf<br>fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm<br>NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx<br>H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe<br>+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==<br>-----END CERTIFICATE-----<br>---<br>Server certificate<br>subject=/C=AT/ST=Salzburg/L=Salzburg/O=University of<br>Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at<br>issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3<br>---<br>No client certificate CA names sent<br>Peer signing digest: SHA512<br>Server Temp Key: ECDH, P-384, 384 bits<br>---<br>SSL handshake has read 4882 bytes and written 360 bytes<br>Verification: OK<br>---<br>New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384<br>Server public key is 4096 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>SSL-Session:<br> Protocol : TLSv1.2<br> Cipher : ECDHE-RSA-AES256-GCM-SHA384<br> Session-ID:<br>E75B0B35DFEFC9F6CABD8851BAA4B2A2E2AE309E3A203333C7CD9CCC4AE0C9A6<br> Session-ID-ctx: <br> Master-Key:<br>2D90C5223EB2265793E990153B3877E07B8FF1DCED85EB3A8FC853E3CE4E1C9A5BFF1FA<br>7123D7FB1CAC517A42DED5E70<br> PSK identity: None<br> PSK identity hint: None<br> SRP username: None<br> TLS session ticket lifetime hint: 300 (seconds)<br> TLS session ticket:<br> 0000 - 74 4a 71 29 b0 9a 0b 9a-36 5d a4 5d 3c 03 25<br>5e tJq)....6].]<.%^<br> 0010 - d2 4c 0b 9d ef b8 ef 04-44 d1 d1 8e d2 60 2d<br>5f .L......D....`-_<br> 0020 - 81 67 f6 62 e4 7d 4a 15-17 fa 03 a1 3b 81 70<br>43 .g.b.}J.....;.pC<br> 0030 - b2 0a 40 ce 7e c1 a7 de-7a 3e ba 01 9f 4b da<br>cd ..@.~...z>...K..<br> 0040 - 6c 22 a2 63 5d b6 22 5c-fd 75 6b 25 f0 9c 04<br>a8 l".c]."\.uk%....<br> 0050 - 36 cb df b0 56 e9 3c 35-a3 0c d1 76 e3 4c c5<br>62 6...V.<5...v.L.b<br> 0060 - 9f 79 0b 0d fe 88 25 97-d5 d5 3d 93 ac 52 52<br>eb .y....%...=..RR.<br> 0070 - d6 9f ba b4 b3 a1 ba 91-37 e9 ad 83 92 39 ec<br>f9 ........7....9..<br> 0080 - 1b 0c 15 3b 07 e5 11 36-b1 8f de d0 b2 69 13<br>5e ...;...6.....i.^<br> 0090 - 98 77 46 d0 11 27 72 25-d1 ab 43 a4 14 7f 02<br>6c .wF..'r%..C....l<br> 00a0 - cd a5 56 6a 13 12 3f ff-ad 0f 59 4b 7a 72 d5<br>0b ..Vj..?...YKzr..<br><br> Start Time: 1532434946<br> Timeout : 7200 (sec)<br> Verify return code: 0 (ok)<br> Extended master secret: no<br>---<br>* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE<br>IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.<br><br><br><br>###################################################################<br>$ openssl s_client -showcerts -connect 141.201.4.5:993 -servername<br>imap.cosy.sbg.ac.at<br><br>CONNECTED(00000003)<br>---<br>Certificate chain<br> 0 s:/C=AT/L=Salzburg/O=University of Salzburg/OU=Department of<br>Computer Science/CN=mail.cs.sbg.ac.at<br> i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3<br>-----BEGIN CERTIFICATE-----<br>MIIIATCCBumgAwIBAgIQAmDFTQk2675Y0/0vo5hcIDANBgkqhkiG9w0BAQsFADBk<br>MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ<br>QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg<br>Q0EgMzAeFw0xODA3MTgwMDAwMDBaFw0yMDA3MjIxMjAwMDBaMIGGMQswCQYDVQQG<br>EwJBVDERMA8GA1UEBxMIU2FsemJ1cmcxHzAdBgNVBAoTFlVuaXZlcnNpdHkgb2Yg<br>U2FsemJ1cmcxJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5j<br>ZTEaMBgGA1UEAxMRbWFpbC5jcy5zYmcuYWMuYXQwggIiMA0GCSqGSIb3DQEBAQUA<br>A4ICDwAwggIKAoICAQDulmTg3+JDxZr0uEsxr9521HV+Qja0/+gcQE1UlWe2Tx4V<br>iHx6GtqOSSyDl8vTPvmCv/ethTaGQVFZLWOGK8mvUkNqO0PpzcrucuvO8nyycjWE<br>TWsthWkCK0uIg1ivyWji1gn53XjattDAjbaLCHNKVne3KoD0hM0nNJF56zyv7QSJ<br>xh6HWAHNRb2Uc6R24vmCWdXh8/I5Cs4fHUpi9RQ8Qtw3C6W8JXOfdJ30uEOzHM0d<br>a1lh6eYc+kDQHSdyLc6l7T0/Mm8i0WbbHWk2V5LPEyuqFcbjg9xfX5W2TboJun28<br>0qog2UWT+Ofo20kRzcVQZKcw3xi7Q0avi0IkIckC8rqfZp67gPKp0/q4arYpK15d<br>n7jwz14lJ4xu9a/OWGdVKJ0pW3ydaKNwreFdGpHuhZ2VAJOzTK3N/7luBD0Qb1PW<br>vV232kZBkUPGKsJJ9DLDgnzzqYZChM460lbOS7M7CtQW+1doXF3COK8R0X9nrNht<br>tNMDEJlysuytFWX7mq1FeRxS2/eFEkeT3wiIRKLO/ZPdM++mKAyJJd4Ouob+pyfh<br>nsnzSAdNQsTZFE3OSnWkE3wFepzddBa4FXrw3Q5zPA1BXIZ8v5ARUeAr/Rnmq6ED<br>svLhopD/ixAXIFJFCNTrpxwxCgHanvR+hshkr/ydJyxRmlJz2UT3nbpnPXhzMwID<br>AQABo4IDijCCA4YwHwYDVR0jBBgwFoAUZ/2IIBQnmMcJ0iUZu+lREWN1UGIwHQYD<br>VR0OBBYEFAM1hJQoRxwTpqH9lz3lXpZdAN7vMFoGA1UdEQRTMFGCEW1haWwuY3Mu<br>c2JnLmFjLmF0ghNtYWlsLmNvc3kuc2JnLmFjLmF0ghNpbWFwLmNvc3kuc2JnLmFj<br>LmF0ghJwb3AuY29zeS5zYmcuYWMuYXQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW<br>MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8v<br>Y3JsMy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDAvoC2gK4YpaHR0cDov<br>L2NybDQuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmwwTAYDVR0gBEUwQzA3<br>BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQu<br>Y29tL0NQUzAIBgZngQwBAgIwbgYIKwYBBQUHAQEEYjBgMCQGCCsGAQUFBzABhhho<br>dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly9jYWNl<br>cnRzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3J0MAwGA1UdEwEB/wQCMAAw<br>ggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AKS5CZC0GFgUh7sTosxncAo8NZgE<br>+RvfuON3zQ7IDdwQAAABZK3JdOIAAAQDAEcwRQIgZQUkCneHZEcXfC1yumvuTMIJ<br>MKf3GFGUanmHYO4l2NQCIQCuOkt7wI4HvMWr+jhq3PfM/GfPr03POT0WHaBx8Eug<br>CQB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABZK3JdZ4AAAQD<br>AEcwRQIhAMIyrqtbop76t3oH3TpEHjxJdb/abztkdE2dhDhSX+yNAiBpMlZSeCKH<br>t94VtRIgVeYX1iQoj+z3dicgh/ZpdfBEwwB2ALvZ37wfinG1k5Qjl6qSe0c4V5UK<br>q1LoGpCWZDaOHtGFAAABZK3JdbEAAAQDAEcwRQIhAIHVyGRqGMI9IV1ZsGcXl16+<br>jtVT0Z77Ky2CgoPTW915AiBHqCxvZUfu8Hpjs78JGLIKS/Vf1c+h/GBfs0FJFKzt<br>fjANBgkqhkiG9w0BAQsFAAOCAQEAMJAGj8Vh6fuWdQFHHJ5pjX3uQ6GQwAVnnmbS<br>IWLO0pcD7niy4IDeF/Q4Bwx9U4M12SImZr61UL0JL9UYy82xeSDEMReTbC83Ghug<br>aTTTrfHJjjH3/T69mFRjUHtsYhZVIoLlm0T+K4FiBMuaNSz09r0PmTHRpBdsPjwU<br>42ONsdcyI/nlaalzvNsG/JorNn2oG3zU9n7T4iXcMeIQqCzaBEVQKUi7zfeOuBk1<br>epA6679yxLTMsMpzd0xaXAZ4tlh7Cs7ozQwRCe4ZNQTmrtfTZ0od+6xLUpvTJylp<br>Yvc4n6jGgk8UrgkPTeloOnhuunZ9HNPaL8gBGCpvPwbJzfHJXg==<br>-----END CERTIFICATE-----<br> 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3<br> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID<br>Root CA<br>-----BEGIN CERTIFICATE-----<br>MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl<br>MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3<br>d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv<br>b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG<br>EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt<br>MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw<br>DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio<br>Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS<br>lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10<br>VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct<br>85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8<br>mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA<br>AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG<br>CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu<br>Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln<br>aUNlcnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRw<br>Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js<br>MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk<br>SURSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo<br>dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBRn/YggFCeYxwnS<br>JRm76VERY3VQYjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq<br>hkiG9w0BAQsFAAOCAQEAqSg1esR71tonHqyYzyc2TxEydHTmQN0dzfJodzWvs4xd<br>xgS/FfQjZ4u5b5cE60adws3J0aSugS7JurHogNAcyTnBVnZZbJx946nw09E02DxJ<br>WYsamM6/xvLYMDX/6W9doK867mZTrqqMaci+mqege9iCSzMTyAfzd9fzZM2eY/lC<br>J1OuEDOJcjcV8b73HjWizsMt8tey5gvHacDlH198aZt+ziYaM0TDuncFO7pdP0GJ<br>+hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5<br>hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng==<br>-----END CERTIFICATE-----<br> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID<br>Root CA<br> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID<br>Root CA<br>-----BEGIN CERTIFICATE-----<br>MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl<br>MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3<br>d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv<br>b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG<br>EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl<br>cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi<br>MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c<br>JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP<br>mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+<br>wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4<br>VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/<br>AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB<br>AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW<br>BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun<br>pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC<br>dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf<br>fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm<br>NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx<br>H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe<br>+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==<br>-----END CERTIFICATE-----<br>---<br>Server certificate<br>subject=/C=AT/L=Salzburg/O=University of Salzburg/OU=Department of<br>Computer Science/CN=mail.cs.sbg.ac.at<br>issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3<br>---<br><br>No client certificate CA names sent<br>Peer signing digest: SHA512<br>Server Temp Key: ECDH, P-384, 384 bits<br>---<br>SSL handshake has read 5255 bytes and written 362 bytes<br>Verification: OK<br>---<br>New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384<br>Server public key is 4096 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>SSL-Session:<br> Protocol : TLSv1.2<br> Cipher : ECDHE-RSA-AES256-GCM-SHA384<br> Session-ID:<br>1F74E0FB2AC74C65A4C68CAE898C305C6DB245A3566078A6C85E74572593951B<br> Session-ID-ctx: <br> Master-Key:<br>C6CEE7B44A640152E71EB72172DEC4DCD0604585A9D38427AA6E4604E4B8351458B648D<br>7010D8757924DDB82EC181585<br> PSK identity: None<br> PSK identity hint: None<br> SRP username: None<br> TLS session ticket lifetime hint: 300 (seconds)<br> TLS session ticket:<br> 0000 - b2 8f ed 2a fc 9a f8 4e-4b aa b8 9e 56 e1 01<br>95 ...*...NK...V...<br> 0010 - 3d 9b 01 c4 b6 dc 64 0a-9c 1a be 5d a4 7f f0<br>c9 =.....d....]....<br> 0020 - 12 d8 f0 94 f3 8c 92 7f-b8 fa f9 cd 60 e0 21<br>e8 ............`.!.<br> 0030 - d3 63 77 65 6f e7 ec 04-09 b4 f2 bb df cd 6d<br>10 .cweo.........m.<br> 0040 - dd 1a 87 fb c1 b7 de 89-f2 05 0f 70 3b 0d ef<br>62 ...........p;..b<br> 0050 - d4 60 f7 54 1b 38 bf d9-8f f7 81 56 1f 61 2d<br>b6 .`.T.8.....V.a-.<br> 0060 - f4 06 f1 e3 ba 65 95 95-d0 6b dd 92 39 30 1f<br>e2 .....e...k..90..<br> 0070 - 6e 60 6e 39 d6 51 ed a4-ae 8e 4a b6 ae 3e d6<br>77 n`n9.Q....J..>.w<br> 0080 - d9 f9 5d d6 fc b1 a5 89-94 e9 4b c5 cb 39 24<br>3c ..].......K..9$<<br> 0090 - 65 06 81 56 0b 16 d5 b6-a2 34 11 ea 18 c9 a3<br>6a e..V.....4.....j<br> 00a0 - ae a7 62 75 f4 5b 37 31-6f f4 56 26 06 78 2c<br>62 ..bu.[71o.V&.x,b<br><br> Start Time: 1532434962<br> Timeout : 7200 (sec)<br> Verify return code: 0 (ok)<br> Extended master secret: no<br>---<br>* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE<br>IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.<br><br><br><br>On Mon, 2018-07-23 at 10:05 +0300, Aki Tuomi wrote:<br>> Can you provide some details on what those openssl commands returned?<br>> <br>> Aki<br>> <br>> <br>> On 20.07.2018 12:14, Martin Johannes Dauser wrote:<br>> > Hi,<br>> > <br>> > I recognised some funny behaviour on my server. IMAP clients which<br>> > won't send an Server Name Indication (SNI) sometimes get the wrong<br>> > certificate. I would expect that those clients always get the<br>> > default<br>> > certificate (of my new domain), instead in about 20 to 50% of<br>> > connections the certificate of my old domain will be presented.<br>> > (sample rate was 3 times 30 connections)<br>> > <br>> > Clients sending SNI always get the right certificate.<br>> > <br>> > A user informed me that offlineIMAP complains <br>> > 'CA Cert verifying failed:<br>> > no matching domain name found in certificate'<br>> > So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI,<br>> > there is a newer version upstream though.<br>> > <br>> > <br>> > I myself checked the server's behaviour with openssl:<br>> > <br>> > $ openssl s_client -showcerts -connect IP-address:993<br>> > <br>> > and<br>> > <br>> > $ openssl s_client -showcerts -connect IP-address:993 -servername<br>> > imap.domain<br>> > <br>> > <br>> > I'm totally clueless about how come.<br>> > <br>> > Best regards<br>> > Martin Johannes Dauser<br>> > <br>> > <br>> > <br>> > <br>> > # 2.2.10: /etc/dovecot/dovecot.conf<br>> > # OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux<br>> > Server release 7.5 (Maipo) <br>> > <br>> > ...<br>> > <br>> > service imap-login {<br>> > inet_listener imap {<br>> > address = 127.0.0.1<br>> > port = 143<br>> > }<br>> > inet_listener imaps {<br>> > port = 993<br>> > ssl = yes<br>> > }<br>> > process_min_avail = 8<br>> > service_count = 0<br>> > }<br>> > <br>> > ...<br>> > <br>> > ssl = required<br>> > # set default cert<br>> > ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert<br>> > ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-<br>> > SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1<br>> > <br>> > ssl_key = </etc/pki/dovecot/private/mail_new_domain.key<br>> > ssl_protocols = !SSLv2 !SSLv3<br>> > <br>> > ...<br>> > <br>> > # set alternativ cert for old domain<br>> > local_name mail.old.domain {<br>> > ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert<br>> > ssl_key = </etc/pki/dovecot/private/mail_old_domain.key<br>> > }<br>> > local_name imap.old.domain {<br>> > ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert<br>> > ssl_key = </etc/pki/dovecot/private/mail_old_domain.key<br>> > }<br>> > local_name pop.old.domain {<br>> > ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert<br>> > ssl_key = </etc/pki/dovecot/private/mail_old_domain.key<br>> > }<br>> > <br>> > # set explicit cert for new domain<br>> > local_name mail.new.domain {<br>> > ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert<br>> > ssl_key = </etc/pki/dovecot/private/mail_new_doman.key<br>> > }<br>> > local_name imap.new.domain {<br>> > ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert<br>> > ssl_key = </etc/pki/dovecot/private/mail_new_domain.key<br>> > }<br>> > local_name pop.new.domain {<br>> > ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert<br>> > ssl_key = </etc/pki/dovecot/private/mail_new_domain.key<br>> > }<br>> > <br>> > <br>> > <br>> <br>> <br></body></html>