On 05/28/18 11:08, Aki Tuomi wrote:
On 28.05.2018 12:06, Hauke Fath wrote:
On 05/21/18 17:55, Aki Tuomi wrote:
ssl_ca is used only for validating client certificates.
But it was used (though not documented, IIRC) for validating server
certs, too. Since intermediate CA certs are usually valid a lot longer
than the server certs, having to concat the certs is awkward, at best.
As far as I know, it has never been working as replacement for adding
the chain to cert file.
Well, you know your code better than I. ;)
But it has worked for us here pre-2.3 (see
<https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html>
ff., and confirmed by
<https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html>).
And from an admin POV, it makes a lot of sense to keep the intermediate
cert chain separate from the server cert.
Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
