On 08/03/18 18:43, Peter Linss wrote: > I just added an ECDSA certificate to my mail server using ssl_alt_cert (the > RSA certificate is specified by ssl_cert), both certificate files contain the > certificate and a single intermediate (which currently happens to be the same > intermediate from Let’s Encrypt). > > When connecting to the server using either RSA or ECDSA ciphers, the server > sends the proper certificate, but also sends two intermediates. Apparently > it’s reading the intermediate from both files and using both for all > situations, rather than using only the intermediate in the RSA file for RSA > certificates, and the intermediate in the ECDSA file for ECDSA certificates. > I expect this will be a bigger problem when Let’s Encrypt starts using ECDSA > intermediates. > > Removing the intermediate from the ssl_alt_cert file solves the problem (but > then doesn’t allow an ECDSA intermediate to be specified).
I believe that supplying multiple unrelated intermediate certificates is an incorrect behaviour, though I don't know if this is a problem that can be solved in Dovecot or has to be addressed in openssl itself. Do you get any issue in certificate validation in the client? John
