On Sat, Oct 15, 2022 at 11:50:20PM +0200, Marek Podmaka wrote:
> > > I can provide privately postfix host/port for both working and
> > > non-working certs.
> >
> > Sure.
>
> <redacted>:<redacted> for the troubled cert
> <redacted>:<redacted> for the working cert (different domain)
The two certificate chains are structurally identical, differing only in
minor details, such as: dates, keys, hostnames and signatures.
So if presenting an essentially identical certificate, but with the
wrong hostname makes the client happy, that's rather unexpected.
There's a non-trivial chance your observations are in error, but if
indeed presenting the wrong name makes the client stop short of
processing that would otherwise cause the handshake to be aborted,
that's rather ironic.
--
Viktor.
