On 10/03/18 14:20, John Fawcett wrote: > On 10/03/18 14:06, Aki Tuomi wrote: >> >>> On 10 March 2018 at 14:49 John Fawcett < j...@voipsupport.it >>> <mailto:j...@voipsupport.it>> wrote: >>> >>> >>> On 08/03/18 18:43, Peter Linss wrote: >>>> I just added an ECDSA certificate to my mail server using >>>> ssl_alt_cert (the RSA certificate is specified by ssl_cert), both >>>> certificate files contain the certificate and a single intermediate >>>> (which currently happens to be the same intermediate from Let’s >>>> Encrypt). >>>> When connecting to the server using either RSA or ECDSA ciphers, >>>> the server sends the proper certificate, but also sends two >>>> intermediates. Apparently it’s reading the intermediate from both >>>> files and using both for all situations, rather than using only the >>>> intermediate in the RSA file for RSA certificates, and the >>>> intermediate in the ECDSA file for ECDSA certificates. I expect >>>> this will be a bigger problem when Let’s Encrypt starts using ECDSA >>>> intermediates. >>>> Removing the intermediate from the ssl_alt_cert file solves the >>>> problem (but then doesn’t allow an ECDSA intermediate to be >>>> specified). >>> I believe that supplying multiple unrelated intermediate >>> certificates is >>> an incorrect behaviour, though I don't know if this is a problem that >>> can be solved in Dovecot or has to be addressed in openssl itself. >>> >>> Do you get any issue in certificate validation in the client? >>> >>> John >> >> You sure your cert file does not contain unrelated certificates? >> --- >> Aki Tuomi > > Aki > > I'll leave Peter to respond about his cert files, but in the test I > did, each the ssl_cert and ssl_alt_cert each contained the server cert > and the next cert in the chain. However, both intermediates were > supplied whether using RSA or ECDSA. > > John > May need to look into using SSL_CTX_add1_chain_cert() instead of SSL_CTX_add_extra_chain_cert()
John
