dovecot - Aug 2019 - Upgrading to v2.3.X breaks ssl san?

<html><head></head><body><div
style="font-family: Verdana;font-size:
12.0px;"><div>Hello,<br/>
<br/>
using letsencrypt ssl certs with san works perfectly with 2.2.34, but<br/>
after uprading to 2.3.4.1 it couldn't verified (also tried
v2.3.7.1).<br/>
<br/>
i connect to imap.myserver.lan<br/>
<br/>
the cn of the cert is myserver.lan and has the san imap.myserver.lan<br/>
<br/>
openssl s_client -connect imap.myserver.lan:993<br/>
CONNECTED(00000005)<br/>
depth=0 CN = imap.myserver.lan<br/>
verify error:num=20:unable to get local issuer certificate<br/>
verify return:1<br/>
depth=0 CN = imap.myserver.lan<br/>
verify error:num=21:unable to verify the first certificate<br/>
verify return:1<br/>
---<br/>
Certificate chain<br/>
0 s:CN = imap.myserver.lan<br/>
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3</div>

<div> </div>

<div>if i cat ssl_ca and ssl_cert into one file and only use ssl_cert
it's working with 2.3.X</div>

<div>ssl_ca = </etc/ssl/ca-bundle.pem<br/>
ssl_cert =
</etc/ssl-imap.pem</div></div></body></html>

> On 06/08/2019 22:49 telsch via dovecot <dovecot at dovecot.org>
wrote:
> 
> 
> Hello,
>  
>  using letsencrypt ssl certs with san works perfectly with 2.2.34, but
>  after uprading to 2.3.4.1 it couldn't verified (also tried v2.3.7.1).
>  
>  i connect to imap.myserver.lan
>  
>  the cn of the cert is myserver.lan and has the san imap.myserver.lan
>  
>  openssl s_client -connect imap.myserver.lan:993
>  CONNECTED(00000005)
>  depth=0 CN = imap.myserver.lan
>  verify error:num=20:unable to get local issuer certificate
>  verify return:1
>  depth=0 CN = imap.myserver.lan
>  verify error:num=21:unable to verify the first certificate
>  verify return:1
>  ---
>  Certificate chain
>  0 s:CN = imap.myserver.lan
>  i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  
>  
> if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's
working with 2.3.X
>  
> ssl_ca = </etc/ssl/ca-bundle.pem
>  ssl_cert = </etc/ssl-imap.pem
ssl_ca is not supposed to be automatically cat'ed into the certificate. The
correct way is to put cert and leafs to the cert in order towrads root into
ssl-imap.pem. ssl_ca is intended for verifying clients connecting to the server.

Aki

On Tue, 6 Aug 2019, telsch wrote:
> if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's
working with 2.3.X
> ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem
In the words of Montoya, "I do not think it means what you think it
means", referring to "ssl_ca".  That file is not used to to
establish
the trust chain to your server certificate, but rather, to your client's
certificates (e.g. if you run a local CA to issue user certificate
for mutual authentication, you would put your local CA certificate here).

(Maybe this config variable should be renamed "ssl_client_ca".)

Appending intermediate and server certificates is what you're supposed
to do.

Joseph Tam <jtam.home at gmail.com>

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 07/08/2019 00:37 Joseph Tam via dovecot <
    <a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    On Tue, 6 Aug 2019, telsch wrote:
   </div>
   <div>
    <br>
   </div>
   <blockquote type="cite">
    <div>
     if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's
working with 2.3.X
    </div>
    <div>
     ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem
    </div>
   </blockquote>
   <div>
    In the words of Montoya, "I do not think it means what you think it
   </div>
   <div>
    means", referring to "ssl_ca". That file is not used to to
establish
   </div>
   <div>
    the trust chain to your server certificate, but rather, to your client's
   </div>
   <div>
    certificates (e.g. if you run a local CA to issue user certificate
   </div>
   <div>
    for mutual authentication, you would put your local CA certificate here).
   </div>
   <div>
    <br>
   </div>
   <div>
    (Maybe this config variable should be renamed "ssl_client_ca".)
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   ... except there already is ssl_client_ca_* settings used to validate
connections from dovecot.
  </div>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div></div>
   <div>
    Appending intermediate and server certificates is what you're supposed
   </div>
   <div>
    to do.
   </div>
   <div>
    <br>
   </div>
   <div>
    Joseph Tam <
    <a
href="mailto:jtam.home@gmail.com">jtam.home@gmail.com</a>>
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div class="io-ox-signature">
   <pre>---
Aki Tuomi</pre>
  </div> 
 </body>
</html>

with v2.2.34 i can use:

ssl_ca = </etc/ssl/ca-bundle.pem
ssl_cert = </etc/ssl-imap.pem

after upgrade to v2.3.X it doesn't work like before.

it's working if i manual cat ca-bundle.pem and ssl-imap.pem into one
file and using only:

ssl_cert = </etc/ssl-imap.pem

i thought ssl_ca is where to put the intermediate cert?

> On 07/08/2019 14:28 telsch <telsch at gmx.de> wrote:
> 
>  
> with v2.2.34 i can use:
> 
> ssl_ca = </etc/ssl/ca-bundle.pem
> ssl_cert = </etc/ssl-imap.pem
> 
> after upgrade to v2.3.X it doesn't work like before.
> 
> it's working if i manual cat ca-bundle.pem and ssl-imap.pem into one
> file and using only:
> 
> ssl_cert = </etc/ssl-imap.pem
> 
> i thought ssl_ca is where to put the intermediate cert?
(Sorry for duplicate mail, keyboard acted up...)

No, that has always been a mistake and it was fixed in 2.3. Our SSL pages in
documentation & wiki have always recommended concatenating the intermediates
with the cert.

Aki

ok thanks for clarification
>
> No, that has always been a mistake and it was fixed in 2.3. Our SSL pages
in documentation & wiki have always recommended concatenating the
intermediates with the cert.
>
> Aki
>

On Wed, 7 Aug 2019 20:24:13 +0300 (EEST), Aki Tuomi via dovecot
wrote:
>> i thought ssl_ca is where to put the intermediate cert?
Well, it surely worked that way until v2.3...
> (Sorry for duplicate mail, keyboard acted up...)
> 
> No, that has always been a mistake and it was fixed in 2.3. Our SSL 
> pages in documentation & wiki have always recommended concatenating 
> the intermediates with the cert.
Aki, after the issue came up last time 
<http://dovecot.2317879.n4.nabble.com/dovecot-2-2-openssl-1-0-vs-dovecot-2-3-openssl-1-1-1-ssl-regression-tt65322.html#none>,
you appeared to have changed your mind? What happened?

Cheerio,
Hauke

-- 
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut f?r Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344