> On 10 March 2018 at 15:20 John Fawcett <john at voipsupport.it> wrote: > > > On 10/03/18 14:06, Aki Tuomi wrote: > > > >> On 10 March 2018 at 14:49 John Fawcett < john at voipsupport.it > >> <mailto:john at voipsupport.it>> wrote: > >> > >> > >> On 08/03/18 18:43, Peter Linss wrote: > >>> I just added an ECDSA certificate to my mail server using > >>> ssl_alt_cert (the RSA certificate is specified by ssl_cert), both > >>> certificate files contain the certificate and a single intermediate > >>> (which currently happens to be the same intermediate from Let?s > >>> Encrypt). > >>> When connecting to the server using either RSA or ECDSA ciphers, the > >>> server sends the proper certificate, but also sends two > >>> intermediates. Apparently it?s reading the intermediate from both > >>> files and using both for all situations, rather than using only the > >>> intermediate in the RSA file for RSA certificates, and the > >>> intermediate in the ECDSA file for ECDSA certificates. I expect this > >>> will be a bigger problem when Let?s Encrypt starts using ECDSA > >>> intermediates. > >>> Removing the intermediate from the ssl_alt_cert file solves the > >>> problem (but then doesn?t allow an ECDSA intermediate to be specified). > >> I believe that supplying multiple unrelated intermediate certificates is > >> an incorrect behaviour, though I don't know if this is a problem that > >> can be solved in Dovecot or has to be addressed in openssl itself. > >> > >> Do you get any issue in certificate validation in the client? > >> > >> John > > > > You sure your cert file does not contain unrelated certificates? > > --- > > Aki Tuomi > > Aki > > I'll leave Peter to respond about his cert files, but in the test I did, > each the ssl_cert and ssl_alt_cert each contained the server cert and > the next cert in the chain. However, both intermediates were supplied > whether using RSA or ECDSA. > > John >I can confirm this behaviour. We'll look into it. Aki
> On 10 March 2018 at 16:05 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > On 10 March 2018 at 15:20 John Fawcett <john at voipsupport.it> wrote: > > > > > > On 10/03/18 14:06, Aki Tuomi wrote: > > > > > >> On 10 March 2018 at 14:49 John Fawcett < john at voipsupport.it > > >> <mailto:john at voipsupport.it>> wrote: > > >> > > >> > > >> On 08/03/18 18:43, Peter Linss wrote: > > >>> I just added an ECDSA certificate to my mail server using > > >>> ssl_alt_cert (the RSA certificate is specified by ssl_cert), both > > >>> certificate files contain the certificate and a single intermediate > > >>> (which currently happens to be the same intermediate from Let?s > > >>> Encrypt). > > >>> When connecting to the server using either RSA or ECDSA ciphers, the > > >>> server sends the proper certificate, but also sends two > > >>> intermediates. Apparently it?s reading the intermediate from both > > >>> files and using both for all situations, rather than using only the > > >>> intermediate in the RSA file for RSA certificates, and the > > >>> intermediate in the ECDSA file for ECDSA certificates. I expect this > > >>> will be a bigger problem when Let?s Encrypt starts using ECDSA > > >>> intermediates. > > >>> Removing the intermediate from the ssl_alt_cert file solves the > > >>> problem (but then doesn?t allow an ECDSA intermediate to be specified). > > >> I believe that supplying multiple unrelated intermediate certificates is > > >> an incorrect behaviour, though I don't know if this is a problem that > > >> can be solved in Dovecot or has to be addressed in openssl itself. > > >> > > >> Do you get any issue in certificate validation in the client? > > >> > > >> John > > > > > > You sure your cert file does not contain unrelated certificates? > > > --- > > > Aki Tuomi > > > > Aki > > > > I'll leave Peter to respond about his cert files, but in the test I did, > > each the ssl_cert and ssl_alt_cert each contained the server cert and > > the next cert in the chain. However, both intermediates were supplied > > whether using RSA or ECDSA. > > > > John > > > > I can confirm this behaviour. We'll look into it. > > AkiThis appears to be slightly too difficult to fix for OpenSSL 1.0.0, but we can fix this for 1.0.2 and later on next release. Aki
> On 10 March 2018 at 16:53 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > On 10 March 2018 at 16:05 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > > > > > On 10 March 2018 at 15:20 John Fawcett <john at voipsupport.it> wrote: > > > > > > > > > On 10/03/18 14:06, Aki Tuomi wrote: > > > > > > > >> On 10 March 2018 at 14:49 John Fawcett < john at voipsupport.it > > > >> <mailto:john at voipsupport.it>> wrote: > > > >> > > > >> > > > >> On 08/03/18 18:43, Peter Linss wrote: > > > >>> I just added an ECDSA certificate to my mail server using > > > >>> ssl_alt_cert (the RSA certificate is specified by ssl_cert), both > > > >>> certificate files contain the certificate and a single intermediate > > > >>> (which currently happens to be the same intermediate from Let?s > > > >>> Encrypt). > > > >>> When connecting to the server using either RSA or ECDSA ciphers, the > > > >>> server sends the proper certificate, but also sends two > > > >>> intermediates. Apparently it?s reading the intermediate from both > > > >>> files and using both for all situations, rather than using only the > > > >>> intermediate in the RSA file for RSA certificates, and the > > > >>> intermediate in the ECDSA file for ECDSA certificates. I expect this > > > >>> will be a bigger problem when Let?s Encrypt starts using ECDSA > > > >>> intermediates. > > > >>> Removing the intermediate from the ssl_alt_cert file solves the > > > >>> problem (but then doesn?t allow an ECDSA intermediate to be specified). > > > >> I believe that supplying multiple unrelated intermediate certificates is > > > >> an incorrect behaviour, though I don't know if this is a problem that > > > >> can be solved in Dovecot or has to be addressed in openssl itself. > > > >> > > > >> Do you get any issue in certificate validation in the client? > > > >> > > > >> John > > > > > > > > You sure your cert file does not contain unrelated certificates? > > > > --- > > > > Aki Tuomi > > > > > > Aki > > > > > > I'll leave Peter to respond about his cert files, but in the test I did, > > > each the ssl_cert and ssl_alt_cert each contained the server cert and > > > the next cert in the chain. However, both intermediates were supplied > > > whether using RSA or ECDSA. > > > > > > John > > > > > > > I can confirm this behaviour. We'll look into it. > > > > Aki > > This appears to be slightly too difficult to fix for OpenSSL 1.0.0, but we can fix this for 1.0.2 and later on next release. > > AkiSorry, target release 2.3.2, not 2.3.1. Aki
Reasonably Related Threads
- Extra intermediate certificate when using ssl_alt_cert
- Extra intermediate certificate when using ssl_alt_cert
- Extra intermediate certificate when using ssl_alt_cert
- Extra intermediate certificate when using ssl_alt_cert
- Extra intermediate certificate when using ssl_alt_cert