dovecot - May 2018 - SSL error after upgrading to 2.31

You forgot to cc the list.
ssl_ca is used only for validating client certificates.
---Aki TuomiDovecot oy
-------- Original message --------From: Marc Perkel <marc at perkel.com>
Date: 21/05/2018  18:25  (GMT+02:00) To: Aki Tuomi <aki.tuomi at
dovecot.fi> Subject: Re: SSL error after upgrading to 2.31

    

    

    On 05/21/2018 07:54 AM, Aki Tuomi
      wrote:

    
    
      
      Does ssl_cert file contain intermediates?
      

      
      

      
      

      
    
    

    No - but the ssl_ca does.

    

    
      
        
        ---
        Aki Tuomi
        Dovecot oy
      
      

      
      
        -------- Original message --------
        From: Marc Perkel <marc at perkel.com> 
        Date: 21/05/2018 16:32 (GMT+02:00) 
        To: dovecot at dovecot.org 
        Subject: SSL error after upgrading to 2.31 
        

        
      
      After upgrading to 2.31 I'm getting
        this error. Not sure what I'm doing wrong.

        

        No (No signatures could be verified because the chain contains
        only one certificate and it is not self signed.)

      

      

      ssl = yes

      

      ssl_cert = </etc/exim/certs/ctyme.com.crt

      ssl_key = </etc/exim/certs/ctyme.com.key

      ssl_ca = </etc/exim/certs/ca.crt

      

      

      local mail.ctyme.com {

      ? protocol imap {

      ??? ssl_cert = </etc/exim/certs/ctyme.com.crt

      ??? ssl_key = </etc/exim/certs/ctyme.com.key

      ??? ssl_ca = </etc/exim/certs/ca.crt

      ? }

      

      ? protocol pop3 {

      ??? ssl_cert = </etc/exim/certs/ctyme.com.crt

      ??? ssl_key = </etc/exim/certs/ctyme.com.key

      ??? ssl_ca = </etc/exim/certs/ca.crt

      ? }

      }

      

      local mail.junkemailfilter.com {

      ? protocol imap {

      ??? ssl_cert = </etc/exim/certs/junkemailfilter.com.crt

      ??? ssl_key = </etc/exim/certs/junkemailfilter.com.key

      ??? ssl_ca = </etc/exim/certs/ca.crt

      ? }

      

      ? protocol pop3 {

      ??? ssl_cert = </etc/exim/certs/junkemailfilter.com.crt

      ??? ssl_key = </etc/exim/certs/junkemailfilter.com.key

      ??? ssl_ca = </etc/exim/certs/ca.crt

      ? }

      }

    
    

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180521/1e76b694/attachment-0001.html>

On 05/21/18 17:55, Aki Tuomi wrote:
> ssl_ca is used only for validating client certificates.
But it was used (though not documented, IIRC) for validating server 
certs, too. Since intermediate CA certs are usually valid a lot longer 
than the server certs, having to concat the certs is awkward, at best.

I would very much like to see the pre-2.3 behaviour of "ssl_ca"
restored.

Cheerio,
hauke

-- 
      The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email	        Institut f?r Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
      Respect for open standards              Ruf +49-6151-16-21344

On 28.05.2018 12:06, Hauke Fath wrote:
> On 05/21/18 17:55, Aki Tuomi wrote:
>> ssl_ca is used only for validating client certificates.
>
> But it was used (though not documented, IIRC) for validating server
> certs, too. Since intermediate CA certs are usually valid a lot longer
> than the server certs, having to concat the certs is awkward, at best.
>
> I would very much like to see the pre-2.3 behaviour of "ssl_ca"
restored.
>
> Cheerio,
> hauke
>
As far as I know, it has never been working as replacement for adding
the chain to cert file.

Aki