On 28.05.2018 12:06, Hauke Fath wrote:> On 05/21/18 17:55, Aki Tuomi wrote: >> ssl_ca is used only for validating client certificates. > > But it was used (though not documented, IIRC) for validating server > certs, too. Since intermediate CA certs are usually valid a lot longer > than the server certs, having to concat the certs is awkward, at best. > > I would very much like to see the pre-2.3 behaviour of "ssl_ca" restored. > > Cheerio, > hauke >As far as I know, it has never been working as replacement for adding the chain to cert file. Aki
On 05/28/18 11:08, Aki Tuomi wrote:> > > On 28.05.2018 12:06, Hauke Fath wrote: >> On 05/21/18 17:55, Aki Tuomi wrote: >>> ssl_ca is used only for validating client certificates. >> >> But it was used (though not documented, IIRC) for validating server >> certs, too. Since intermediate CA certs are usually valid a lot longer >> than the server certs, having to concat the certs is awkward, at best. > > As far as I know, it has never been working as replacement for adding > the chain to cert file.Well, you know your code better than I. ;) But it has worked for us here pre-2.3 (see <https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html> ff., and confirmed by <https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html>). And from an admin POV, it makes a lot of sense to keep the intermediate cert chain separate from the server cert. Cheerio, hauke -- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut f?r Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On 28.05.2018 13:05, Hauke Fath wrote:> On 05/28/18 11:08, Aki Tuomi wrote: >> >> >> On 28.05.2018 12:06, Hauke Fath wrote: >>> On 05/21/18 17:55, Aki Tuomi wrote: >>>> ssl_ca is used only for validating client certificates. >>> >>> But it was used (though not documented, IIRC) for validating server >>> certs, too. Since intermediate CA certs are usually valid a lot longer >>> than the server certs, having to concat the certs is awkward, at best. >> >> As far as I know, it has never been working as replacement for adding >> the chain to cert file. > > Well, you know your code better than I.? ;) > > But it has worked for us here pre-2.3 (see > <https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html> > ff., and confirmed by > <https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html>). > > And from an admin POV, it makes a lot of sense to keep the > intermediate cert chain separate from the server cert. > > Cheerio, > hauke >I'm sure. But putting it as ssl_ca makes no sense, since it becomes confused what it is for. We can try restoring this as ssl_cert_chain setting in future release. Aki