On 10/03/18 14:06, Aki Tuomi wrote: > >> On 10 March 2018 at 14:49 John Fawcett < j...@voipsupport.it >> <mailto:j...@voipsupport.it>> wrote: >> >> >> On 08/03/18 18:43, Peter Linss wrote: >>> I just added an ECDSA certificate to my mail server using >>> ssl_alt_cert (the RSA certificate is specified by ssl_cert), both >>> certificate files contain the certificate and a single intermediate >>> (which currently happens to be the same intermediate from Let’s >>> Encrypt). >>> When connecting to the server using either RSA or ECDSA ciphers, the >>> server sends the proper certificate, but also sends two >>> intermediates. Apparently it’s reading the intermediate from both >>> files and using both for all situations, rather than using only the >>> intermediate in the RSA file for RSA certificates, and the >>> intermediate in the ECDSA file for ECDSA certificates. I expect this >>> will be a bigger problem when Let’s Encrypt starts using ECDSA >>> intermediates. >>> Removing the intermediate from the ssl_alt_cert file solves the >>> problem (but then doesn’t allow an ECDSA intermediate to be specified). >> I believe that supplying multiple unrelated intermediate certificates is >> an incorrect behaviour, though I don't know if this is a problem that >> can be solved in Dovecot or has to be addressed in openssl itself. >> >> Do you get any issue in certificate validation in the client? >> >> John > > You sure your cert file does not contain unrelated certificates? > --- > Aki Tuomi
Aki I'll leave Peter to respond about his cert files, but in the test I did, each the ssl_cert and ssl_alt_cert each contained the server cert and the next cert in the chain. However, both intermediates were supplied whether using RSA or ECDSA. John
