Re: Dovecot 2.3.0 TLS

Mon, 22 Jan 2018 07:12:09 -0800 

On 01/11/2018 12:22 PM, Aki Tuomi wrote:



On 11.01.2018 13:20, Hauke Fath wrote:

On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:

Was the certificate path bundled in the server certificate?

No, as a separate file, provided from the local (intermediate) CA:

ssl_cert = </etc/openssl/certs/server.cert
ssl_key = </etc/openssl/private/server.key
ssl_ca = </etc/openssl/certs/ca-cert-chain.pem

Worked fine with 2.2.x, 2.3 gives

% openssl s_client -connect XXX:993
CONNECTED(00000006)
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
  0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
    i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
Darmstadt/CN=TUD CA G01/emailAddress=tud...@hrz.tu-darmstadt.de
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
%



Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.

Aki



Hello,
let me confirm this issue.
I have a setup similar to Hauke Fath. Doing the workaround suggested by Aki

     cat /etc/openssl/certs/ca-cert-chain.pem >> /etc/openssl/certs/server.cert

and removing "ssl_ca" from the config file presents the correct CA-Chain.
Whereas the original config presented my three time my own server cert as chain.


Since server certs tend to change more frequent than the CA chains
I really want to keep them in separate files.

So this is really a show stopper for me.

CU, Olaf




--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: olaf.h...@kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.





Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature
























					Reply via email to