On 28.05.2018 13:05, Hauke Fath wrote:> On 05/28/18 11:08, Aki Tuomi wrote: >> >> >> On 28.05.2018 12:06, Hauke Fath wrote: >>> On 05/21/18 17:55, Aki Tuomi wrote: >>>> ssl_ca is used only for validating client certificates. >>> >>> But it was used (though not documented, IIRC) for validating server >>> certs, too. Since intermediate CA certs are usually valid a lot longer >>> than the server certs, having to concat the certs is awkward, at best. >> >> As far as I know, it has never been working as replacement for adding >> the chain to cert file. > > Well, you know your code better than I.? ;) > > But it has worked for us here pre-2.3 (see > <https://www.dovecot.org/pipermail/dovecot/2018-January/110638.html> > ff., and confirmed by > <https://www.dovecot.org/pipermail/dovecot/2018-January/110720.html>). > > And from an admin POV, it makes a lot of sense to keep the > intermediate cert chain separate from the server cert. > > Cheerio, > hauke >I'm sure. But putting it as ssl_ca makes no sense, since it becomes confused what it is for. We can try restoring this as ssl_cert_chain setting in future release. Aki
On Mon, 28 May 2018 13:52:01 +0300, Aki Tuomi wrote:> I'm sure. But putting it as ssl_ca makes no sense, since it becomes > confused what it is for.I guess - I haven't had a need for client certs, and only ever used ssl_ca for the server ca chain.> We can try restoring this as ssl_cert_chain setting in future release.Sounds good. How about (re)naming them ssl-{client,server}_ca? Cheerio, Hauke -- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut f?r Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On 28.05.2018 14:30, Hauke Fath wrote:> On Mon, 28 May 2018 13:52:01 +0300, Aki Tuomi wrote: >> I'm sure. But putting it as ssl_ca makes no sense, since it becomes >> confused what it is for. > I guess - I haven't had a need for client certs, and only ever used > ssl_ca for the server ca chain. > >> We can try restoring this as ssl_cert_chain setting in future release. > Sounds good. How about (re)naming them ssl-{client,server}_ca? > > Cheerio, > Hauke >There is already ssl_client_ca, for verifying clients. ssl_ca verifies certs when dovecot is connecting somewhere. Aki