dovecot - Nov 2018 - dovecot 2.2/openssl 1.0 vs dovecot 2.3/openssl 1.1.1 ssl regression

Hi.

I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to
dovecot 2.3.3 run with openssl 1.1.1.

Currently I have both variants running with identical configs and certs
(the only differences are due to config syntax changes in dovecot 2.3),
so for example on both I have:

ssl_ca = </etc/openssl/certs/wildcard_ca.pem
(this file contains single intermediate certificate of my CA)

ssl_cert = </etc/openssl/certs/wildcard_crt.pem
(this contains single cerificate for my *.example.com domain)

ssl_key =  # hidden, use -P to show it
(and one key)

No alt certs in use.

Chain is:
- CA trusted by clients (this certificate isn't provided by my dovecot,
it's not needed)
- wildcard_ca.pem - intermediate CA
- wildcard_crt.pem - wildcard certificate for my *.example.com domain



dovecot 2.2.36 behaviour is to provide wildcard_ca.pem and
wildcard_crt.pem to the client - that behaviour is OK. Client has full
trust chain.

dovecot 2.3.3 provides only wildcard_crt.pem certificate to the client
which is a big problem because missing wildcard_ca.pem (intermediate
certificate) breaks chain and client is not able to verify trust chain.

Testing is done with simple:

openssl s_client -connect my.example.com:143 -starttls imap -servername
my.example.com -showcerts


2.3.x announcements and upgrade wiki mention no such behaviour change,
so I assume it is a regression.

Now doing
cat wildcard_ca.pem >> wildcard_crt.pem
solves the problem and dovecot starts providing both certs to clients
but if that's the proper way of solving this issue then what's the point
of having ssl_ca config setting?

Ideas?

-- 
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 13 November 2018 at 20:53 Arkadiusz Miśkiewicz <
    <a href="mailto:arekm@maven.pl">arekm@maven.pl</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    Hi.
   </div>
   <div>
    <br>
   </div>
   <div>
    I'm considering dovecot migration from 2.2.36 run with openssl 1.0.2o to
   </div>
   <div>
    dovecot 2.3.3 run with openssl 1.1.1.
   </div>
   <div>
    <br>
   </div>
   <div>
    Currently I have both variants running with identical configs and certs
   </div>
   <div>
    (the only differences are due to config syntax changes in dovecot 2.3),
   </div>
   <div>
    so for example on both I have:
   </div>
   <div>
    <br>
   </div>
   <div>
    ssl_ca = </etc/openssl/certs/wildcard_ca.pem
   </div>
   <div>
    (this file contains single intermediate certificate of my CA)
   </div>
   <div>
    <br>
   </div>
   <div>
    ssl_cert = </etc/openssl/certs/wildcard_crt.pem
   </div>
   <div>
    (this contains single cerificate for my *.example.com domain)
   </div>
   <div>
    <br>
   </div>
   <div>
    ssl_key = # hidden, use -P to show it
   </div>
   <div>
    (and one key)
   </div>
   <div>
    <br>
   </div>
   <div>
    No alt certs in use.
   </div>
   <div>
    <br>
   </div>
   <div>
    Chain is:
   </div>
   <div>
    - CA trusted by clients (this certificate isn't provided by my dovecot,
   </div>
   <div>
    it's not needed)
   </div>
   <div>
    - wildcard_ca.pem - intermediate CA
   </div>
   <div>
    - wildcard_crt.pem - wildcard certificate for my *.example.com domain
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    dovecot 2.2.36 behaviour is to provide wildcard_ca.pem and
   </div>
   <div>
    wildcard_crt.pem to the client - that behaviour is OK. Client has full
   </div>
   <div>
    trust chain.
   </div>
   <div>
    <br>
   </div>
   <div>
    dovecot 2.3.3 provides only wildcard_crt.pem certificate to the client
   </div>
   <div>
    which is a big problem because missing wildcard_ca.pem (intermediate
   </div>
   <div>
    certificate) breaks chain and client is not able to verify trust chain.
   </div>
   <div>
    <br>
   </div>
   <div>
    Testing is done with simple:
   </div>
   <div>
    <br>
   </div>
   <div>
    openssl s_client -connect my.example.com:143 -starttls imap -servername
   </div>
   <div>
    my.example.com -showcerts
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    2.3.x announcements and upgrade wiki mention no such behaviour change,
   </div>
   <div>
    so I assume it is a regression.
   </div>
   <div>
    <br>
   </div>
   <div>
    Now doing
   </div>
   <div>
    cat wildcard_ca.pem >> wildcard_crt.pem
   </div>
   <div>
    solves the problem and dovecot starts providing both certs to clients
   </div>
   <div>
    but if that's the proper way of solving this issue then what's the
point
   </div>
   <div>
    of having ssl_ca config setting?
   </div>
   <div>
    <br>
   </div>
   <div>
    Ideas?
   </div>
   <div>
    <br>
   </div>
   <div>
    --
   </div>
   <div>
    Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
   </div>
  </blockquote>
  <div>
   Including ssl_ca with cert is not actually a good idea, but perhaps this
should indeed be mentioned in the upgrading page. Not a regression in any case.
  </div>
  <div class="io-ox-signature">
   ---
   <br>Aki Tuomi
  </div> 
 </body>
</html>

On 11/13/18 19:58, Aki Tuomi wrote:
> On 13 November 2018 at 20:53 Arkadiusz Mi?kiewicz wrote:
>> I'm considering dovecot migration from 2.2.36 run with openssl
1.0.2o to
>> dovecot 2.3.3 run with openssl 1.1.1.
>>
>> Currently I have both variants running with identical configs and certs
>> (the only differences are due to config syntax changes in dovecot 2.3),
>> so for example on both I have:
>>
>> ssl_ca = </etc/openssl/certs/wildcard_ca.pem
>> (this file contains single intermediate certificate of my CA)
>>
>> ssl_cert = </etc/openssl/certs/wildcard_crt.pem
>> (this contains single cerificate for my *.example.com domain)
[dovecot 2.3+ does not provide intermediate CA cert to clients any more]
>> 2.3.x announcements and upgrade wiki mention no such behaviour change,
>> so I assume it is a regression.
>>
>> Now doing
>> cat wildcard_ca.pem >> wildcard_crt.pem
>> solves the problem and dovecot starts providing both certs to clients
>> but if that's the proper way of solving this issue then what's
the point
>> of having ssl_ca config setting?
 >
> Including ssl_ca with cert is not actually a good idea, but perhaps this
should
> indeed be mentioned in the upgrading page. Not a regression in any case.
Aki,

when I brought up this very issue in 
<https://dovecot.org/list/dovecot/2018-January/110638.html> ff., you 
told me that "ssl_ca", despite the name, was for client certificates 
only, and that I was supposed to append the CA certificate(s) to the 
server certificate file.

I am glad to hear you consider this a bad idea now.  ;)

Cheerio,
Hauke

-- 
      The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email	        Institut f?r Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
      Respect for open standards              Ruf +49-6151-16-21344