On Mon, May 12, 2014 at 08:44:00PM +0100, SW wrote:
> <quote author="Viktor Dukhovni">
> A work-around is to list all the relevant CAs in the chain files
> for both algorithms. The patches that resolve this for 1.0.2 are
> attached for educational purposes only. They are unlikely to apply
> to 1.0.1 or earlier in isolation, and in any case would be entirely
> untested with 1.0.1 as a base.
> </quote>
>
> So do I need to create a chain cert as follows for each cert (RSA and
> ECDSA):
>
> cat mail.domain.com.ecdsa.crt COMODOECCDomainValidationSecureServerCA.crt
> COMODOECCAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt
> COMODORSAAddTrustCA.crt> mail.domain.com.chained.postfix.ecdsa.crt
>
> cat mail.domain.com.sha256.crt COMODOECCDomainValidationSecureServerCA.crt
> COMODOECCAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt
> COMODORSAAddTrustCA.crt> mail.domain.com.chained.postfix.sha256.crt
>
> Would this do the trick?
(Why not just try it, first?)
Basically, each chain starts with the leaf cert, and then includes
all the issuers of either for both. The order will no longer be
a strict sequence of subject followed by issuer, but this requirement
is generally not enforced.
When 1.0.2 is finally released, you can return to a saner configuration.
--
Viktor.
