Ok, so I have tried:
cat mail.domain.com.ecdsa.crt
COMODOECCDomainValidationSecureServerCA.crt COMODOECCAddTrustCA.crt
/support/certs/sha256/COMODORSADomainValidationSecureServerCA.crt
/support/certs/sha256/COMODORSAAddTrustCA.crt >
mail.domain.com.chained.postfix.ecdsa_2.crt
cat mail.domain.com.sha256.crt
COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt
/support/certs/ecdsa/COMODOECCDomainValidationSecureServerCA.crt
/support/certs/ecdsa/COMODOECCAddTrustCA.crt >
mail.domain.com.chained.postfix.sha256_2.crt
And this seems to have done the trick! Running:
openssl s_client -connect mail.domain.com:25 -crlf -starttls smtp
-CAfile /usr/local/openssl/certs/AddTrustExternalCARoot.crt
returns:
Verify return code: 0 (ok)
The output looks as follows now:
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
mail.domain.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Certification Authority
4 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Unfortunately I don't know of any email servers I can email as a test to
see if the ECDSA cert is working 100%.
But I think this issue is resolved?
On 12/05/2014 21:16, Viktor Dukhovni wrote:
On Mon, May 12, 2014 at 08:44:00PM +0100, SW wrote:
<quote author="Viktor Dukhovni">
A work-around is to list all the relevant CAs in the chain files
for both algorithms. The patches that resolve this for 1.0.2 are
attached for educational purposes only. They are unlikely to apply
to 1.0.1 or earlier in isolation, and in any case would be entirely
untested with 1.0.1 as a base.
</quote>
So do I need to create a chain cert as follows for each cert (RSA and
ECDSA):
cat mail.domain.com.ecdsa.crt COMODOECCDomainValidationSecureServerCA.crt
COMODOECCAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt> mail.domain.com.chained.postfix.ecdsa.crt
cat mail.domain.com.sha256.crt COMODOECCDomainValidationSecureServerCA.crt
COMODOECCAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt> mail.domain.com.chained.postfix.sha256.crt
Would this do the trick?
(Why not just try it, first?)
Basically, each chain starts with the leaf cert, and then includes
all the issuers of either for both. The order will no longer be
a strict sequence of subject followed by issuer, but this requirement
is generally not enforced.
When 1.0.2 is finally released, you can return to a saner configuration.
