pkg/52918: mail/dovecot does not supply intermediate CA certs

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/52918: mail/dovecot does not supply intermediate CA certs
From: Hauke Fath <hf%spg.tu-darmstadt.de@localhost>
Date: Thu, 11 Jan 2018 14:50:00 +0000 (UTC)

>Number:         52918
>Category:       pkg
>Synopsis:       mail/dovecot does not supply intermediate CA certs
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 11 14:50:00 +0000 2018
>Originator:     Hauke Fath
>Release:        NetBSD 7.1_STABLE
>Organization:
Technische Universitaet Darmstadt
>Environment:
	
	
System: NetBSD Bounce 7.1_STABLE NetBSD 7.1_STABLE (DMZ_DOMU) #2: Thu Jan 4 11:54:10 CET 2018 hf@Hochstuhl:/var/obj/netbsd-builds/7/amd64/sys/arch/amd64/compile/DMZ_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:

	The new mail/dovecot2 v2.3.0 fails to supply clients with
	configured intermediate CA TLS certificates. This is a
	regression from c2.2.33.2.

	

>How-To-Repeat:

	With the following TLS setup

ssl_cert = </etc/openssl/certs/server.cert
ssl_key = </etc/openssl/private/server.key
ssl_ca = </etc/openssl/certs/ca-cert-chain.pem

	an s_client call against 2.3.0 will give

% openssl s_client -connect XXX:993
CONNECTED(00000006)
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
   i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
Darmstadt/CN=TUD CA G01/emailAddress=tud-ca%hrz.tu-darmstadt.de@localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
%

	and clients will complain about an unverifiable server cert.

	The same configuration works fine with 2.2.x.

	
>Fix:

	I have reported the problem upstream; the question is whether
	the package should be rolled back until they provide a fix.

	We have rolled back the local installation for now.

	

>Unformatted:

Prev by Date: pkg/52917: Error installing guacamole-server from current pkgsrc
Next by Date: Re: pkg/52918: mail/dovecot does not supply intermediate CA certs
Previous by Thread: pkg/52917: Error installing guacamole-server from current pkgsrc
Next by Thread: Re: pkg/52918: mail/dovecot does not supply intermediate CA certs
Indexes:

Home | Main Index | Thread Index | Old Index