thr3ads.net - dovecot - Extra intermediate certificate when using ssl_alt

If this information is useful, please help other people find it:
Share via:

Peter Linss

2018-Mar-08 17:43 UTC

Extra intermediate certificate when using ssl_alt_cert

I just added an ECDSA certificate to my mail server using ssl_alt_cert (the RSA
certificate is specified by ssl_cert), both certificate files contain the
certificate and a single intermediate (which currently happens to be the same
intermediate from Let?s Encrypt).

When connecting to the server using either RSA or ECDSA ciphers, the server
sends the proper certificate, but also sends two intermediates. Apparently it?s
reading the intermediate from both files and using both for all situations,
rather than using only the intermediate in the RSA file for RSA certificates,
and the intermediate in the ECDSA file for ECDSA certificates. I expect this
will be a bigger problem when Let?s Encrypt starts using ECDSA intermediates.

Removing the intermediate from the ssl_alt_cert file solves the problem (but
then doesn?t allow an ECDSA intermediate to be specified).

Configuration:
# 2.2.34 (874deae): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.22 (22940fb7)
# OS: Linux 4.14.17-x86_64-linode99 x86_64 Debian 9.3 ext4
# Hostname: [redacted]
auth_mechanisms = plain login
listen = [ipv4 redacted], [ipv6 redacted]
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = imap lmtp
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl = required
ssl_alt_cert = </etc/ssl/certs/mail.[redacted].ecdsa.pem
ssl_alt_key = </etc/ssl/private/[redacted].ecdsa.key
ssl_cert = </etc/ssl/certs/mail.[redacted].rsa.pem
ssl_key =  </etc/ssl/private/[redacted].rsa.key
ssl_cipher_list =
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:kEDH+CAMELLIA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DES-CBC3-SHA
ssl_dh_parameters_length = 4096
ssl_prefer_server_ciphers = yes
userdb {
  args = uid=vmail gid=vmail home=/var/vmail/vhosts/%d/%n
  driver = static
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}

John Fawcett

2018-Mar-10 12:49 UTC

head link

Extra intermediate certificate when using ssl_alt_cert

On 08/03/18 18:43, Peter Linss wrote:> I just added an ECDSA certificate to my mail server using ssl_alt_cert (the
RSA certificate is specified by ssl_cert), both certificate files contain the
certificate and a single intermediate (which currently happens to be the same
intermediate from Let?s Encrypt).
>
> When connecting to the server using either RSA or ECDSA ciphers, the server
sends the proper certificate, but also sends two intermediates. Apparently it?s
reading the intermediate from both files and using both for all situations,
rather than using only the intermediate in the RSA file for RSA certificates,
and the intermediate in the ECDSA file for ECDSA certificates. I expect this
will be a bigger problem when Let?s Encrypt starts using ECDSA intermediates.
>
> Removing the intermediate from the ssl_alt_cert file solves the problem
(but then doesn?t allow an ECDSA intermediate to be specified).
I believe that supplying multiple unrelated intermediate certificates is
an incorrect behaviour, though I don't know if this is a problem that
can be solved in Dovecot or has to be addressed in openssl itself.

Do you get any issue in certificate validation in the client?

John

Aki Tuomi

2018-Mar-10 13:06 UTC

head link

Extra intermediate certificate when using ssl_alt_cert

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 10 March 2018 at 14:49 John Fawcett <
    <a
href="mailto:john@voipsupport.it">john@voipsupport.it</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    On 08/03/18 18:43, Peter Linss wrote:
   </div>
   <blockquote type="cite">
    <div>
     I just added an ECDSA certificate to my mail server using ssl_alt_cert (the
RSA certificate is specified by ssl_cert), both certificate files contain the
certificate and a single intermediate (which currently happens to be the same
intermediate from Let’s Encrypt).
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     When connecting to the server using either RSA or ECDSA ciphers, the server
sends the proper certificate, but also sends two intermediates. Apparently it’s
reading the intermediate from both files and using both for all situations,
rather than using only the intermediate in the RSA file for RSA certificates,
and the intermediate in the ECDSA file for ECDSA certificates. I expect this
will be a bigger problem when Let’s Encrypt starts using ECDSA intermediates.
    </div>
   </blockquote>
   <blockquote type="cite">
    <div>
     Removing the intermediate from the ssl_alt_cert file solves the problem
(but then doesn’t allow an ECDSA intermediate to be specified).
    </div>
   </blockquote>
   <div>
    I believe that supplying multiple unrelated intermediate certificates is
   </div>
   <div>
    an incorrect behaviour, though I don't know if this is a problem that
   </div>
   <div>
    can be solved in Dovecot or has to be addressed in openssl itself.
   </div>
   <div>
    <br>
   </div>
   <div>
    Do you get any issue in certificate validation in the client?
   </div>
   <div>
    <br>
   </div>
   <div>
    John
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   You sure your cert file does not contain unrelated certificates?
  </div>
  <div class="io-ox-signature">
   ---
   <br>Aki Tuomi
  </div> 
 </body>
</html>

Apparently Analagous Threads

Search for more apparently analagous threads

dovecot - Mar 2018 - Extra intermediate certificate when using ssl_alt_cert

Extra intermediate certificate when using ssl_alt_cert

Extra intermediate certificate when using ssl_alt_cert

Extra intermediate certificate when using ssl_alt_cert

Apparently Analagous Threads