Martin Johannes Dauser
2018-Jul-20 09:14 UTC
dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
Hi,
I recognised some funny behaviour on my server. IMAP clients which
won't send an Server Name Indication (SNI) sometimes get the wrong
certificate. I would expect that those clients always get the default
certificate (of my new domain), instead in about 20 to 50% of
connections the certificate of my old domain will be presented.
(sample rate was 3 times 30 connections)
Clients sending SNI always get the right certificate.
A user informed me that offlineIMAP complains?
'CA Cert verifying failed:
??no matching domain name found in certificate'
So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI,
there is a newer version upstream though.
I myself checked the server's behaviour with openssl:
$ openssl s_client -showcerts?-connect IP-address:993
and
$ openssl s_client -showcerts?-connect IP-address:993 -servername
imap.domain
I'm totally clueless about how come.
Best regards
Martin Johannes Dauser
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux
Server release 7.5 (Maipo)?
...
service imap-login {
? inet_listener imap {
????address = 127.0.0.1
????port = 143
? }
? inet_listener imaps {
????port = 993
????ssl = yes
? }
? process_min_avail = 8
? service_count = 0
}
...
ssl = required
# set default cert
ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-
SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1
ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
ssl_protocols = !SSLv2 !SSLv3
...
# set alternativ cert for old domain
local_name mail.old.domain {
? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}
local_name imap.old.domain {
? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}
local_name pop.old.domain {
? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert
? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key
}
# set explicit cert for new domain
local_name mail.new.domain {
? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
? ssl_key = </etc/pki/dovecot/private/mail_new_doman.key
}
local_name imap.new.domain {
? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
? ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
}
local_name pop.new.domain {
? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert
? ssl_key = </etc/pki/dovecot/private/mail_new_domain.key
}
Aki Tuomi
2018-Jul-23 07:05 UTC
dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
Can you provide some details on what those openssl commands returned? Aki On 20.07.2018 12:14, Martin Johannes Dauser wrote:> Hi, > > I recognised some funny behaviour on my server. IMAP clients which > won't send an Server Name Indication (SNI) sometimes get the wrong > certificate. I would expect that those clients always get the default > certificate (of my new domain), instead in about 20 to 50% of > connections the certificate of my old domain will be presented. > (sample rate was 3 times 30 connections) > > Clients sending SNI always get the right certificate. > > A user informed me that offlineIMAP complains? > 'CA Cert verifying failed: > ??no matching domain name found in certificate' > So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI, > there is a newer version upstream though. > > > I myself checked the server's behaviour with openssl: > > $ openssl s_client -showcerts?-connect IP-address:993 > > and > > $ openssl s_client -showcerts?-connect IP-address:993 -servername > imap.domain > > > I'm totally clueless about how come. > > Best regards > Martin Johannes Dauser > > > > > # 2.2.10: /etc/dovecot/dovecot.conf > # OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux > Server release 7.5 (Maipo)? > > ... > > service imap-login { > ? inet_listener imap { > ????address = 127.0.0.1 > ????port = 143 > ? } > ? inet_listener imaps { > ????port = 993 > ????ssl = yes > ? } > ? process_min_avail = 8 > ? service_count = 0 > } > > ... > > ssl = required > # set default cert > ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert > ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128- > SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1 > > ssl_key = </etc/pki/dovecot/private/mail_new_domain.key > ssl_protocols = !SSLv2 !SSLv3 > > ... > > # set alternativ cert for old domain > local_name mail.old.domain { > ? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert > ? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key > } > local_name imap.old.domain { > ? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert > ? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key > } > local_name pop.old.domain { > ? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert > ? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key > } > > # set explicit cert for new domain > local_name mail.new.domain { > ? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert > ? ssl_key = </etc/pki/dovecot/private/mail_new_doman.key > } > local_name imap.new.domain { > ? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert > ? ssl_key = </etc/pki/dovecot/private/mail_new_domain.key > } > local_name pop.new.domain { > ? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert > ? ssl_key = </etc/pki/dovecot/private/mail_new_domain.key > } > > >
Martin Johannes Dauser
2018-Jul-24 15:03 UTC
dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
Sure, and thanks for trying to help! These are the two correct answers when SNI is included. The certificates are fully chained. Both certificates carry the same subject mail.cs.sbg.ac.at but differ in Subject Alternative Name (SAN). X509v3 Subject Alternative Name:? ? DNS:mail.cs.sbg.ac.at, DNS:smtp.cs.sbg.ac.at, DNS:imap.cs.sbg.ac.at, DNS:pop.cs.sbg.ac.at X509v3 Subject Alternative Name:? ? DNS:mail.cs.sbg.ac.at, DNS:mail.cosy.sbg.ac.at, DNS:smtp.cosy.sbg.ac.at, DNS:imap.cosy.sbg.ac.at, DNS:pop.cosy.sbg.ac.at I thought of attaching a file with 13 outputs of command $ openssl s_client -showcerts -connect 141.201.4.5:993 but this would certainly exceed the limit of 40kb. Anyway, except for the SSL handshake the outputs exactly meet the two examples a few lines below. Statistics: Only connections 10,11,13 showed the default certificate. So running only a few connections might end up with 100% false certs -- or the other way round.?? OpenSSL itself is always happy, as both certificates fit to the (r)DNS records of mail.cs.sbg.ac.at/141.201.4.5. Would it help you to run dovecot in debug mode? ################################################################### $ openssl s_client -showcerts -connect 141.201.4.5:993 -servername imap.cs.sbg.ac.at CONNECTED(00000003) --- Certificate chain ?0 s:/C=AT/ST=Salzburg/L=Salzburg/O=University of Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at ???i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 -----BEGIN CERTIFICATE----- MIIGjDCCBXSgAwIBAgIQApnSP3xZbyr6dGTMvuxaSDANBgkqhkiG9w0BAQ0FADBk MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg Q0EgMzAeFw0xNzAxMjQwMDAwMDBaFw0yMDAxMjgxMjAwMDBaMIGZMQswCQYDVQQG EwJBVDERMA8GA1UECBMIU2FsemJ1cmcxETAPBgNVBAcTCFNhbHpidXJnMR8wHQYD VQQKExZVbml2ZXJzaXR5IG9mIFNhbHpidXJnMScwJQYDVQQLEx5EZXBhcnRtZW50 IG9mIENvbXB1dGVyIFNjaWVuY2UxGjAYBgNVBAMTEW1haWwuY3Muc2JnLmFjLmF0 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAus33Jb+HE64oJvBEwpeh 7cwyMAknhE5k/49eUG7/E0j2ffEo1APzxYooZ1hlHcf7meH7h1KYD3lSXw5RX0Mi KtuUHSUIqYE1U3+pyussB11r18ucHk8MoFQqPnJDeuSPaHozmdQtJJHRVDabddHz 5l4RVEUduUjzl7vnfFrBhbHV/LpYcLMsNgdlg5I0TXU99Y8paMeF32cWiR2dCeyN t2AajjMpHYRDaJ9DGed8nWOeqK0YRQuaEGF68VBVdygDcOQ0eBflwYEjJChJHhN4 UsQSmwoXYj5ZRvyhcAxxPDYveNhM4oVox67Nvw1AgHz/spaWgJVMKrTU4hFDYcnO 0F6KkumLke0t4IvoLEU7ScAm6d3ttQ5ZBbSIX811kWHC/ddu12AhRiq3y5fN2o3n 6pbRrqljyg4Mu0Tj9UEuwC8bJnCJreo32HQwo82vD1xU8jPUci4UoD21PfkjFssm qbtwwWs1KAIvX52U79u6CC7hvsPNtCiMK0K6/9jg8OyKMraBWvIUV6YxgnuJZ4Mi so/OD6uqdpqCYuq5LLZVAVcBu/vGTzfcckkz71nN2eZSO870rnxyHeTWmepQv4nc gxN49JeReO4zZMio6eC5N9D+SYc5Ae5mS8qyHe/gur6VmbmbWk/vRt/m75lcGLgR A4FRqRvu+GIWNh0uCP9SlkUCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGf9iCAU J5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBR6nRddyu+D1h42fba+bgkBi6OipzBU BgNVHREETTBLghFtYWlsLmNzLnNiZy5hYy5hdIIRc210cC5jcy5zYmcuYWMuYXSC EWltYXAuY3Muc2JnLmFjLmF0ghBwb3AuY3Muc2JnLmFjLmF0MA4GA1UdDwEB/wQE AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAv oC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmww L6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3Js MEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMG4GCCsGAQUFBwEBBGIwYDAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMDgGCCsGAQUFBzAC hixodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNydDAM BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBDQUAA4IBAQA6Xbkobv3hQAr532wf0NsZ kYErQebiMLCrKDAhtLc7Z/bO/srUgOs0x9uoIU5ErjLnPcWrPK0eFQevjZ+6CUry NgAcf6f1z9g1IejuapXb6F41YAteJzo+QkvAtQFkOaq9AADXNo6iIOIDyE1M8hWW W0gcwx6h4+UUSLac0LN/i+Q2LcHa6fg/kH59Yt2oIzkJrVRSHn11R8iUHiLgW3X2 XL9BgCZHqI8t3OaJpXLHmvA0pKDIvjFK9+CDcXZWQbZyLlMzGxVyrZfK+rBjL05h QQ3CTy9JJ3/1//AD1mSgog3qSejMQ7ZK01ZZv4lDoEU8ADGFA6VKlV/CiaYz5Ztk -----END CERTIFICATE----- ?1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 ???i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA -----BEGIN CERTIFICATE----- MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10 VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct 85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8 mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln aUNlcnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRw Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk SURSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBRn/YggFCeYxwnS JRm76VERY3VQYjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq hkiG9w0BAQsFAAOCAQEAqSg1esR71tonHqyYzyc2TxEydHTmQN0dzfJodzWvs4xd xgS/FfQjZ4u5b5cE60adws3J0aSugS7JurHogNAcyTnBVnZZbJx946nw09E02DxJ WYsamM6/xvLYMDX/6W9doK867mZTrqqMaci+mqege9iCSzMTyAfzd9fzZM2eY/lC J1OuEDOJcjcV8b73HjWizsMt8tey5gvHacDlH198aZt+ziYaM0TDuncFO7pdP0GJ +hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5 hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng=-----END CERTIFICATE----- ?2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA ???i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA -----BEGIN CERTIFICATE----- MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+ wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4 VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/ AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe +o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g=-----END CERTIFICATE----- --- Server certificate subject=/C=AT/ST=Salzburg/L=Salzburg/O=University of Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 4882 bytes and written 360 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: ????Protocol??: TLSv1.2 ????Cipher????: ECDHE-RSA-AES256-GCM-SHA384 ????Session-ID: E75B0B35DFEFC9F6CABD8851BAA4B2A2E2AE309E3A203333C7CD9CCC4AE0C9A6 ????Session-ID-ctx:? ????Master-Key: 2D90C5223EB2265793E990153B3877E07B8FF1DCED85EB3A8FC853E3CE4E1C9A5BFF1FA 7123D7FB1CAC517A42DED5E70 ????PSK identity: None ????PSK identity hint: None ????SRP username: None ????TLS session ticket lifetime hint: 300 (seconds) ????TLS session ticket: ????0000 - 74 4a 71 29 b0 9a 0b 9a-36 5d a4 5d 3c 03 25 5e???tJq)....6].]<.%^ ????0010 - d2 4c 0b 9d ef b8 ef 04-44 d1 d1 8e d2 60 2d 5f???.L......D....`-_ ????0020 - 81 67 f6 62 e4 7d 4a 15-17 fa 03 a1 3b 81 70 43???.g.b.}J.....;.pC ????0030 - b2 0a 40 ce 7e c1 a7 de-7a 3e ba 01 9f 4b da cd???.. at .~...z>...K.. ????0040 - 6c 22 a2 63 5d b6 22 5c-fd 75 6b 25 f0 9c 04 a8???l".c]."\.uk%.... ????0050 - 36 cb df b0 56 e9 3c 35-a3 0c d1 76 e3 4c c5 62???6...V.<5...v.L.b ????0060 - 9f 79 0b 0d fe 88 25 97-d5 d5 3d 93 ac 52 52 eb???.y....%...=..RR. ????0070 - d6 9f ba b4 b3 a1 ba 91-37 e9 ad 83 92 39 ec f9???........7....9.. ????0080 - 1b 0c 15 3b 07 e5 11 36-b1 8f de d0 b2 69 13 5e???...;...6.....i.^ ????0090 - 98 77 46 d0 11 27 72 25-d1 ab 43 a4 14 7f 02 6c???.wF..'r%..C....l ????00a0 - cd a5 56 6a 13 12 3f ff-ad 0f 59 4b 7a 72 d5 0b???..Vj..?...YKzr.. ????Start Time: 1532434946 ????Timeout???: 7200 (sec) ????Verify return code: 0 (ok) ????Extended master secret: no --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. ################################################################### $ openssl s_client -showcerts -connect 141.201.4.5:993 -servername imap.cosy.sbg.ac.at CONNECTED(00000003) --- Certificate chain ?0 s:/C=AT/L=Salzburg/O=University of Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at ???i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 -----BEGIN CERTIFICATE----- MIIIATCCBumgAwIBAgIQAmDFTQk2675Y0/0vo5hcIDANBgkqhkiG9w0BAQsFADBk MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg Q0EgMzAeFw0xODA3MTgwMDAwMDBaFw0yMDA3MjIxMjAwMDBaMIGGMQswCQYDVQQG EwJBVDERMA8GA1UEBxMIU2FsemJ1cmcxHzAdBgNVBAoTFlVuaXZlcnNpdHkgb2Yg U2FsemJ1cmcxJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5j ZTEaMBgGA1UEAxMRbWFpbC5jcy5zYmcuYWMuYXQwggIiMA0GCSqGSIb3DQEBAQUA A4ICDwAwggIKAoICAQDulmTg3+JDxZr0uEsxr9521HV+Qja0/+gcQE1UlWe2Tx4V iHx6GtqOSSyDl8vTPvmCv/ethTaGQVFZLWOGK8mvUkNqO0PpzcrucuvO8nyycjWE TWsthWkCK0uIg1ivyWji1gn53XjattDAjbaLCHNKVne3KoD0hM0nNJF56zyv7QSJ xh6HWAHNRb2Uc6R24vmCWdXh8/I5Cs4fHUpi9RQ8Qtw3C6W8JXOfdJ30uEOzHM0d a1lh6eYc+kDQHSdyLc6l7T0/Mm8i0WbbHWk2V5LPEyuqFcbjg9xfX5W2TboJun28 0qog2UWT+Ofo20kRzcVQZKcw3xi7Q0avi0IkIckC8rqfZp67gPKp0/q4arYpK15d n7jwz14lJ4xu9a/OWGdVKJ0pW3ydaKNwreFdGpHuhZ2VAJOzTK3N/7luBD0Qb1PW vV232kZBkUPGKsJJ9DLDgnzzqYZChM460lbOS7M7CtQW+1doXF3COK8R0X9nrNht tNMDEJlysuytFWX7mq1FeRxS2/eFEkeT3wiIRKLO/ZPdM++mKAyJJd4Ouob+pyfh nsnzSAdNQsTZFE3OSnWkE3wFepzddBa4FXrw3Q5zPA1BXIZ8v5ARUeAr/Rnmq6ED svLhopD/ixAXIFJFCNTrpxwxCgHanvR+hshkr/ydJyxRmlJz2UT3nbpnPXhzMwID AQABo4IDijCCA4YwHwYDVR0jBBgwFoAUZ/2IIBQnmMcJ0iUZu+lREWN1UGIwHQYD VR0OBBYEFAM1hJQoRxwTpqH9lz3lXpZdAN7vMFoGA1UdEQRTMFGCEW1haWwuY3Mu c2JnLmFjLmF0ghNtYWlsLmNvc3kuc2JnLmFjLmF0ghNpbWFwLmNvc3kuc2JnLmFj LmF0ghJwb3AuY29zeS5zYmcuYWMuYXQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8v Y3JsMy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDAvoC2gK4YpaHR0cDov L2NybDQuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmwwTAYDVR0gBEUwQzA3 BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQu Y29tL0NQUzAIBgZngQwBAgIwbgYIKwYBBQUHAQEEYjBgMCQGCCsGAQUFBzABhhho dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly9jYWNl cnRzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3J0MAwGA1UdEwEB/wQCMAAw ggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AKS5CZC0GFgUh7sTosxncAo8NZgE +RvfuON3zQ7IDdwQAAABZK3JdOIAAAQDAEcwRQIgZQUkCneHZEcXfC1yumvuTMIJ MKf3GFGUanmHYO4l2NQCIQCuOkt7wI4HvMWr+jhq3PfM/GfPr03POT0WHaBx8Eug CQB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABZK3JdZ4AAAQD AEcwRQIhAMIyrqtbop76t3oH3TpEHjxJdb/abztkdE2dhDhSX+yNAiBpMlZSeCKH t94VtRIgVeYX1iQoj+z3dicgh/ZpdfBEwwB2ALvZ37wfinG1k5Qjl6qSe0c4V5UK q1LoGpCWZDaOHtGFAAABZK3JdbEAAAQDAEcwRQIhAIHVyGRqGMI9IV1ZsGcXl16+ jtVT0Z77Ky2CgoPTW915AiBHqCxvZUfu8Hpjs78JGLIKS/Vf1c+h/GBfs0FJFKzt fjANBgkqhkiG9w0BAQsFAAOCAQEAMJAGj8Vh6fuWdQFHHJ5pjX3uQ6GQwAVnnmbS IWLO0pcD7niy4IDeF/Q4Bwx9U4M12SImZr61UL0JL9UYy82xeSDEMReTbC83Ghug aTTTrfHJjjH3/T69mFRjUHtsYhZVIoLlm0T+K4FiBMuaNSz09r0PmTHRpBdsPjwU 42ONsdcyI/nlaalzvNsG/JorNn2oG3zU9n7T4iXcMeIQqCzaBEVQKUi7zfeOuBk1 epA6679yxLTMsMpzd0xaXAZ4tlh7Cs7ozQwRCe4ZNQTmrtfTZ0od+6xLUpvTJylp Yvc4n6jGgk8UrgkPTeloOnhuunZ9HNPaL8gBGCpvPwbJzfHJXg=-----END CERTIFICATE----- ?1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 ???i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA -----BEGIN CERTIFICATE----- MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10 VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct 85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8 mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln aUNlcnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRw Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk SURSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBRn/YggFCeYxwnS JRm76VERY3VQYjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq hkiG9w0BAQsFAAOCAQEAqSg1esR71tonHqyYzyc2TxEydHTmQN0dzfJodzWvs4xd xgS/FfQjZ4u5b5cE60adws3J0aSugS7JurHogNAcyTnBVnZZbJx946nw09E02DxJ WYsamM6/xvLYMDX/6W9doK867mZTrqqMaci+mqege9iCSzMTyAfzd9fzZM2eY/lC J1OuEDOJcjcV8b73HjWizsMt8tey5gvHacDlH198aZt+ziYaM0TDuncFO7pdP0GJ +hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5 hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng=-----END CERTIFICATE----- ?2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA ???i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA -----BEGIN CERTIFICATE----- MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+ wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4 VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/ AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe +o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g=-----END CERTIFICATE----- --- Server certificate subject=/C=AT/L=Salzburg/O=University of Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 5255 bytes and written 362 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: ????Protocol??: TLSv1.2 ????Cipher????: ECDHE-RSA-AES256-GCM-SHA384 ????Session-ID: 1F74E0FB2AC74C65A4C68CAE898C305C6DB245A3566078A6C85E74572593951B ????Session-ID-ctx:? ????Master-Key: C6CEE7B44A640152E71EB72172DEC4DCD0604585A9D38427AA6E4604E4B8351458B648D 7010D8757924DDB82EC181585 ????PSK identity: None ????PSK identity hint: None ????SRP username: None ????TLS session ticket lifetime hint: 300 (seconds) ????TLS session ticket: ????0000 - b2 8f ed 2a fc 9a f8 4e-4b aa b8 9e 56 e1 01 95???...*...NK...V... ????0010 - 3d 9b 01 c4 b6 dc 64 0a-9c 1a be 5d a4 7f f0 c9???=.....d....].... ????0020 - 12 d8 f0 94 f3 8c 92 7f-b8 fa f9 cd 60 e0 21 e8???............`.!. ????0030 - d3 63 77 65 6f e7 ec 04-09 b4 f2 bb df cd 6d 10???.cweo.........m. ????0040 - dd 1a 87 fb c1 b7 de 89-f2 05 0f 70 3b 0d ef 62???...........p;..b ????0050 - d4 60 f7 54 1b 38 bf d9-8f f7 81 56 1f 61 2d b6???.`.T.8.....V.a-. ????0060 - f4 06 f1 e3 ba 65 95 95-d0 6b dd 92 39 30 1f e2???.....e...k..90.. ????0070 - 6e 60 6e 39 d6 51 ed a4-ae 8e 4a b6 ae 3e d6 77???n`n9.Q....J..>.w ????0080 - d9 f9 5d d6 fc b1 a5 89-94 e9 4b c5 cb 39 24 3c???..].......K..9$< ????0090 - 65 06 81 56 0b 16 d5 b6-a2 34 11 ea 18 c9 a3 6a???e..V.....4.....j ????00a0 - ae a7 62 75 f4 5b 37 31-6f f4 56 26 06 78 2c 62???..bu.[71o.V&.x,b ????Start Time: 1532434962 ????Timeout???: 7200 (sec) ????Verify return code: 0 (ok) ????Extended master secret: no --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. On Mon, 2018-07-23 at 10:05 +0300, Aki Tuomi wrote:> Can you provide some details on what those openssl commands returned? > > Aki > > > On 20.07.2018 12:14, Martin Johannes Dauser wrote: > > Hi, > > > > I recognised some funny behaviour on my server. IMAP clients which > > won't send an Server Name Indication (SNI) sometimes get the wrong > > certificate. I would expect that those clients always get the > > default > > certificate (of my new domain), instead in about 20 to 50% of > > connections the certificate of my old domain will be presented. > > (sample rate was 3 times 30 connections) > > > > Clients sending SNI always get the right certificate. > > > > A user informed me that offlineIMAP complains? > > 'CA Cert verifying failed: > > ???no matching domain name found in certificate' > > So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI, > > there is a newer version upstream though. > > > > > > I myself checked the server's behaviour with openssl: > > > > $ openssl s_client -showcerts?-connect IP-address:993 > > > > and > > > > $ openssl s_client -showcerts?-connect IP-address:993 -servername > > imap.domain > > > > > > I'm totally clueless about how come. > > > > Best regards > > Martin Johannes Dauser > > > > > > > > > > # 2.2.10: /etc/dovecot/dovecot.conf > > # OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux > > Server release 7.5 (Maipo)? > > > > ... > > > > service imap-login { > > ? inet_listener imap { > > ????address = 127.0.0.1 > > ????port = 143 > > ? } > > ? inet_listener imaps { > > ????port = 993 > > ????ssl = yes > > ? } > > ? process_min_avail = 8 > > ? service_count = 0 > > } > > > > ... > > > > ssl = required > > # set default cert > > ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert > > ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128- > > SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1 > > > > ssl_key = </etc/pki/dovecot/private/mail_new_domain.key > > ssl_protocols = !SSLv2 !SSLv3 > > > > ... > > > > # set alternativ cert for old domain > > local_name mail.old.domain { > > ? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert > > ? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key > > } > > local_name imap.old.domain { > > ? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert > > ? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key > > } > > local_name pop.old.domain { > > ? ssl_cert = </etc/pki/dovecot/certs/mail_old_domain-chained.cert > > ? ssl_key = </etc/pki/dovecot/private/mail_old_domain.key > > } > > > > # set explicit cert for new domain > > local_name mail.new.domain { > > ? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert > > ? ssl_key = </etc/pki/dovecot/private/mail_new_doman.key > > } > > local_name imap.new.domain { > > ? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert > > ? ssl_key = </etc/pki/dovecot/private/mail_new_domain.key > > } > > local_name pop.new.domain { > > ? ssl_cert = </etc/pki/dovecot/certs/mail_new_domain-chained.cert > > ? ssl_key = </etc/pki/dovecot/private/mail_new_domain.key > > } > > > > > > > >