On 10.03.2018 17:11, Aki Tuomi wrote: >> On 10 March 2018 at 16:53 Aki Tuomi <aki.tu...@dovecot.fi> wrote: >> >> >> >>> On 10 March 2018 at 16:05 Aki Tuomi <aki.tu...@dovecot.fi> wrote: >>> >>> >>> >>>> On 10 March 2018 at 15:20 John Fawcett <j...@voipsupport.it> wrote: >>>> >>>> >>>> On 10/03/18 14:06, Aki Tuomi wrote: >>>>>> On 10 March 2018 at 14:49 John Fawcett < j...@voipsupport.it >>>>>> <mailto:j...@voipsupport.it>> wrote: >>>>>> >>>>>> >>>>>> On 08/03/18 18:43, Peter Linss wrote: >>>>>>> I just added an ECDSA certificate to my mail server using >>>>>>> ssl_alt_cert (the RSA certificate is specified by ssl_cert), both >>>>>>> certificate files contain the certificate and a single intermediate >>>>>>> (which currently happens to be the same intermediate from Let’s >>>>>>> Encrypt). >>>>>>> When connecting to the server using either RSA or ECDSA ciphers, the >>>>>>> server sends the proper certificate, but also sends two >>>>>>> intermediates. Apparently it’s reading the intermediate from both >>>>>>> files and using both for all situations, rather than using only the >>>>>>> intermediate in the RSA file for RSA certificates, and the >>>>>>> intermediate in the ECDSA file for ECDSA certificates. I expect this >>>>>>> will be a bigger problem when Let’s Encrypt starts using ECDSA >>>>>>> intermediates. >>>>>>> Removing the intermediate from the ssl_alt_cert file solves the >>>>>>> problem (but then doesn’t allow an ECDSA intermediate to be specified). >>>>>> I believe that supplying multiple unrelated intermediate certificates is >>>>>> an incorrect behaviour, though I don't know if this is a problem that >>>>>> can be solved in Dovecot or has to be addressed in openssl itself. >>>>>> >>>>>> Do you get any issue in certificate validation in the client? >>>>>> >>>>>> John >>>>> You sure your cert file does not contain unrelated certificates? >>>>> --- >>>>> Aki Tuomi >>>> Aki >>>> >>>> I'll leave Peter to respond about his cert files, but in the test I did, >>>> each the ssl_cert and ssl_alt_cert each contained the server cert and >>>> the next cert in the chain. However, both intermediates were supplied >>>> whether using RSA or ECDSA. >>>> >>>> John >>>> >>> I can confirm this behaviour. We'll look into it. >>> >>> Aki >> This appears to be slightly too difficult to fix for OpenSSL 1.0.0, but we >> can fix this for 1.0.2 and later on next release. >> >> Aki > Sorry, target release 2.3.2, not 2.3.1. > > Aki
Fixed with https://github.com/dovecot/core/commit/98794428c6805fb82d4d650f46a635226862c4f0.patch Aki