On Sat, Oct 15, 2022 at 11:50:20PM +0200, Marek Podmaka wrote: > > > I can provide privately postfix host/port for both working and > > > non-working certs. > > > > Sure. > > <redacted>:<redacted> for the troubled cert > <redacted>:<redacted> for the working cert (different domain)
The two certificate chains are structurally identical, differing only in minor details, such as: dates, keys, hostnames and signatures. So if presenting an essentially identical certificate, but with the wrong hostname makes the client happy, that's rather unexpected. There's a non-trivial chance your observations are in error, but if indeed presenting the wrong name makes the client stop short of processing that would otherwise cause the handshake to be aborted, that's rather ironic. -- Viktor.