Univention Bugzilla – Full Text Bug Listing |
Summary: | Dovecot should support multiple SSL certificates with SNI | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | Mail - Dovecot | Assignee: | Erik Damrose <damrose> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | damrose, heidelberger, schneider, troeder |
Version: | UCS 4.4 | ||
Target Milestone: | UCS 4.4-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.257 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Sönke Schwardt-Krummrich
2019-01-17 14:48:47 CET
Priority has been taken over from 48448. This bug is the better solution. 37f93386 Add SNI Support to univention-mail-dovecot Additional fqdns and certificates can be configured with UCRvs mail/dovecot/ssl/sni/$fqdn/certificate=$path_to_certificate and mail/dovecot/ssl/sni/$fqdn/key=$path_to_certificate_key Testcase added: 40_mail/48_check_ssl_sni 3ce9f9c2 changelog 538bb3eb yaml OK: code OK: automated test 40_mail/48_check_ssl_sni fails with univention-mail-dovecot=5.0.1-1 and succeeds with 5.0.1-4 OK: manual test: # univention-certificate new -name foo2.bar2 -days 2 # ucr set mail/dovecot/ssl/sni/foo2.bar2/certificate=/etc/univention/ssl/foo2.bar2/cert.pem mail/dovecot/ssl/sni/foo2.bar2/key=/etc/univention/ssl/foo2.bar2/private.key # grep foo2.bar2 /etc/dovecot/conf.d/10-ssl.conf local_name foo2.bar2 { ssl_cert = < /etc/univention/ssl/foo2.bar2/cert.pem ssl_key = < /etc/univention/ssl/foo2.bar2/private.key # service dovecot restart (my notebook)# echo '10.200.3.141 m141-ox.uni.dtr m141-ox foo2.bar2' >> /etc/hosts (my notebook)# fetchmail -v --ssl --check --nodetach --protocol IMAP --all --keep --username test2m@uni.dtr m141-ox.uni.dtr Trying to connect to 10.200.3.141/993...connected. fetchmail: Server certificate: fetchmail: Issuer Organization: Uni Test GmbH fetchmail: Issuer CommonName: Univention Corporate Server Root CA (ID=nZjIOIo7) fetchmail: Subject CommonName: m141-ox.uni.dtr fetchmail: Subject Alternative Name: m141-ox.uni.dtr fetchmail: Subject Alternative Name: m141-ox fetchmail: m141-ox.uni.dtr key fingerprint: 2D:B2:5A:64:CB:C5:26:6A:9E:69:91:7B:C1:AE:AF:54 (my notebook)# fetchmail -v --ssl --check --nodetach --protocol IMAP --all --keep --username test2m@uni.dtr foo2.bar2 Trying to connect to 10.200.3.141/993...connected. fetchmail: Server certificate: fetchmail: Issuer Organization: Uni Test GmbH fetchmail: Issuer CommonName: Univention Corporate Server Root CA (ID=nZjIOIo7) fetchmail: Subject CommonName: foo2.bar2 fetchmail: Subject Alternative Name: foo2.bar2 fetchmail: Subject Alternative Name: foo2 fetchmail: foo2.bar2 key fingerprint: BF:C7:A2:D1:15:D5:BF:A1:00:D4:75:08:70:C4:04:21 OK: advisory Do we have to adapt the let's encrypt app, too? Yes - it would be great if the LE app would check for u-m-dovecot with version >= 4.0.0-16 (4.3) or 5.0.1-4 (4.4) and would set the UCRVs automatically. (In reply to Daniel Tröder from comment #5) > Yes - it would be great if the LE app would check for u-m-dovecot with > version >= 4.0.0-16 (4.3) or 5.0.1-4 (4.4) and would set the UCRVs > automatically. Why not always setting the UCR variable? |