On 08/03/18 18:43, Peter Linss wrote:
> I just added an ECDSA certificate to my mail server using ssl_alt_cert (the 
> RSA certificate is specified by ssl_cert), both certificate files contain the 
> certificate and a single intermediate (which currently happens to be the same 
> intermediate from Let’s Encrypt).
> When connecting to the server using either RSA or ECDSA ciphers, the server 
> sends the proper certificate, but also sends two intermediates. Apparently 
> it’s reading the intermediate from both files and using both for all 
> situations, rather than using only the intermediate in the RSA file for RSA 
> certificates, and the intermediate in the ECDSA file for ECDSA certificates. 
> I expect this will be a bigger problem when Let’s Encrypt starts using ECDSA 
> intermediates.
> Removing the intermediate from the ssl_alt_cert file solves the problem (but 
> then doesn’t allow an ECDSA intermediate to be specified).

I believe that supplying multiple unrelated intermediate certificates is
an incorrect behaviour, though I don't know if this is a problem that
can be solved in Dovecot or has to be addressed in openssl itself.

Do you get any issue in certificate validation in the client?


Reply via email to