Marc Roos
2019-Nov-20 13:13 UTC
ios12 clients not getting correct certificate, sni supported not? or config error?
I am having an ios12.4.1 client whine about access problems. He is
getting the 'default' self signed ceritificate instead of the hostname
alias. openssl s_client -servername mail.xxxxx.com -connect
x.x.x.x:pop3s gives a 'Verify return code: 0 (ok)'
I can't imagine this sni support is not available in recent versions.
Should I remove this default certificate in the main section of
10-ssl.conf?
These lines I have added to 10-ssl.conf
ssl_cert = </etc/pki/tls/certs/mail-wildcard.crt
ssl_key = </etc/pki/tls/private/mail-wildcard.key
local 192.168.10.43 {
ssl_key = </etc/pki/tls/private/xxxxxxx.local.key
ssl_cert = </etc/pki/tls/certs/xxxxxxx.local.crt
}
local_name mail.xxxxx.com {
ssl_key = </etc/pki/tls/private/mail.xxxxx.com.key
ssl_cert = </etc/pki/tls/certs/mail.xxxxx.com.crt
}
local_name imap.xxxxxxx.net {
ssl_key = </etc/pki/tls/private/imap.xxxxxxx.net.key
ssl_cert = </etc/pki/tls/certs/imap.xxxxxxx.net.crt
}
[@ conf.d]# doveconf | egrep 'ssl_cert|ssl_key'
ssl_cert = </etc/pki/tls/certs/mail-wildcard.crt
ssl_cert_username_field = commonName
ssl_key = # hidden, use -P to show it
ssl_key_password ssl_cert = </etc/pki/tls/certs/xxxxxxx.local.crt
ssl_key = # hidden, use -P to show it
ssl_cert = </etc/pki/tls/certs/mail.xxxxx.com.crt
ssl_key = # hidden, use -P to show it
ssl_cert = </etc/pki/tls/certs/imap.xxxxxxx.net.crt
ssl_key = # hidden, use -P to show it
Apparently Analagous Threads
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
- Multiple certificate option SNI
- logging TLS SNI hostname
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
Wisdom of the Ancients
