On Mon, May 12, 2014 at 09:39:39PM +0100, SW wrote:
> And this seems to have done the trick! Running:
>
> openssl s_client -connect mail.domain.com:25 -crlf -starttls smtp -CAfile
> /usr/local/openssl/certs/AddTrustExternalCARoot.crt
>
> returns:
>
> Verify return code: 0 (ok)
This results in extraneous certificates in the chain, but likely
works for most TLS clients. Unfortunately, there's nothing else
you can do if you need to support multiple key algorithms.
For most users, it is probably best to delay rolling out multiple
key algorithms until OpenSSL 1.0.2 or later is deployed.
--
Viktor.
