On 28.05.2018 13:05, Hauke Fath wrote: > On 05/28/18 11:08, Aki Tuomi wrote: >> >> >> On 28.05.2018 12:06, Hauke Fath wrote: >>> On 05/21/18 17:55, Aki Tuomi wrote: >>>> ssl_ca is used only for validating client certificates. >>> >>> But it was used (though not documented, IIRC) for validating server >>> certs, too. Since intermediate CA certs are usually valid a lot longer >>> than the server certs, having to concat the certs is awkward, at best. >> >> As far as I know, it has never been working as replacement for adding >> the chain to cert file. > > Well, you know your code better than I. ;) > > But it has worked for us here pre-2.3 (see > <https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html> > ff., and confirmed by > <https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html>). > > And from an admin POV, it makes a lot of sense to keep the > intermediate cert chain separate from the server cert. > > Cheerio, > hauke > I'm sure. But putting it as ssl_ca makes no sense, since it becomes confused what it is for.
We can try restoring this as ssl_cert_chain setting in future release. Aki
