On 08/03/18 18:43, Peter Linss wrote:
> I just added an ECDSA certificate to my mail server using ssl_alt_cert (the
> RSA certificate is specified by ssl_cert), both certificate files contain the
> certificate and a single intermediate (which currently happens to be the same
> intermediate from Let’s Encrypt).
> When connecting to the server using either RSA or ECDSA ciphers, the server
> sends the proper certificate, but also sends two intermediates. Apparently
> it’s reading the intermediate from both files and using both for all
> situations, rather than using only the intermediate in the RSA file for RSA
> certificates, and the intermediate in the ECDSA file for ECDSA certificates.
> I expect this will be a bigger problem when Let’s Encrypt starts using ECDSA
> Removing the intermediate from the ssl_alt_cert file solves the problem (but
> then doesn’t allow an ECDSA intermediate to be specified).
I believe that supplying multiple unrelated intermediate certificates is
an incorrect behaviour, though I don't know if this is a problem that
can be solved in Dovecot or has to be addressed in openssl itself.
Do you get any issue in certificate validation in the client?