Am 08.07.2017 um 23:10 schrieb Heiko Schlittermann:> As it seem, Pigeonhole sends you the full cert chain: > >> *** Starting TLS handshake >> - Certificate type: X.509 >> - Got a certificate list of 3 certificates. >> - Certificate[0] info: >> - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen > ? >> - Certificate[2] info: >> - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen >> GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer > The last one being the CA used. > >> SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37' >> - Status: The certificate is NOT trusted. The certificate issuer is unknown. >> *** PKI verification of server certificate failed... >> *** Fatal error: ErrIt is wrong to send the root CA along with the intermediate and server certificates. The root CA cert must be in the CA trust bundle of the client. Alexander
Alexander Dalloz <ad+lists at uni-x.org> (So 09 Jul 2017 13:14:56 CEST): ?> It is wrong to send the root CA along with the intermediate and server > certificates. The root CA cert must be in the CA trust bundle of the client.I wouldn't say it is wrong. But it should be useless, as the client wont trust the root CA it received. The client should trust only its copy of the root CA. Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20170709/0fd57210/attachment.sig>
But if it won?t trust that copy, that invalidates the chain, right? On Sun, Jul 9, 2017 at 9:48 AM Heiko Schlittermann <hs at schlittermann.de> wrote:> Alexander Dalloz <ad+lists at uni-x.org> (So 09 Jul 2017 13:14:56 CEST): > ? > > It is wrong to send the root CA along with the intermediate and server > > certificates. The root CA cert must be in the CA trust bundle of the > client. > > I wouldn't say it is wrong. But it should be useless, as the client > wont trust the root CA it received. The client should trust only its > copy of the root CA. > > Best regards from Dresden/Germany > Viele Gr??e aus Dresden > Heiko Schlittermann > -- > SCHLITTERMANN.de ---------------------------- internet & unix support - > Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - > gnupg encrypted messages are welcome --------------- key ID: F69376CE - > ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - >
On 10/07/17 04:48, Heiko Schlittermann wrote:> Alexander Dalloz <ad+lists at uni-x.org> (So 09 Jul 2017 13:14:56 CEST): > ? >> It is wrong to send the root CA along with the intermediate and server >> certificates. The root CA cert must be in the CA trust bundle of the client. > > I wouldn't say it is wrong. But it should be useless, as the client > wont trust the root CA it received. The client should trust only its > copy of the root CA.I've seen clients that invalidate if you send the root along with the rest of the chain. I've seen ssllabs lower a server's grade because it had a chain like this: Root A -> Root B -> intermediate -> server cert ... ... Where both Root A and Root B are in the browser's trusted bundle, but Root A signed Root B with an SHA1 hash and root B signed the intermediate with and SHA256 hash, so if you returned Root B and the intermediate as chain certs you got a lower grade because of the SHA1 sig, but if you just passed the intermediate it was fine. In short, it may work some of the time or most of the time to pass the root cert, but there will be edge cases where it will fail. It's safest to not pass the root cert. Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20170710/c62a70c5/attachment-0001.sig>