Bug 49064 – Dovecot should support multiple SSL certificates with SNI

Bug 49064 - Dovecot should support multiple SSL certificates with SNI


Summary:	Dovecot should support multiple SSL certificates with SNI

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Mail - Dovecot
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3-3-errata
Assigned To:	Erik Damrose
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-03-22 16:04 CET by Erik Damrose
Modified:	2019-04-10 14:35 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.257
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2019-03-22 16:04:52 CET

UCS 4.3 backport

+++ This bug was initially created as a clone of Bug #48485 +++

Dovecot should support multiple SSL certificates with SNI.

Comment 1 Erik Damrose

2019-03-22 16:13:56 CET

83259838 Add SNI Support to univention-mail-dovecot
Additional fqdns and certificates can be configured with UCRvs
mail/dovecot/ssl/sni/$fqdn/certificate=$path_to_certificate and
mail/dovecot/ssl/sni/$fqdn/key=$path_to_certificate_key

57f964eb testcase
fcc1de9e changelog
50181ece yaml

Comment 2 Daniel Tröder

2019-03-29 12:29:28 CET

OK: code
OK: automated test 40_mail/48_check_ssl_sni fails with univention-mail-dovecot=4.0.0-13 and succeeds with 4.0.0-16
OK: manual test:
# univention-certificate new -name foo.bar -days 2
# ucr set mail/dovecot/ssl/sni/foo.bar/certificate=/etc/univention/ssl/foo.bar/cert.pem mail/dovecot/ssl/sni/foo.bar/key=/etc/univention/ssl/foo.bar/private.key
# grep foo.bar /etc/dovecot/conf.d/10-ssl.conf
local_name foo.bar {
  ssl_cert = < /etc/univention/ssl/foo.bar/cert.pem
  ssl_key = < /etc/univention/ssl/foo.bar/private.key
# service dovecot restart

(my notebook)# echo '10.200.3.53 foo.bar ox53.uni.dtr' >> /etc/hosts

(my notebook)# fetchmail -v --ssl --check --nodetach --protocol IMAP --all --keep --username test2m@uni.dtr ox53.uni.dtr
Trying to connect to 10.200.3.53/993...connected.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Uni Test GmbH
fetchmail: Issuer CommonName: Univention Corporate Server Root CA (ID=kL5WjO6C)
fetchmail: Subject CommonName: ox53.uni.dtr
fetchmail: Subject Alternative Name: ox53.uni.dtr
fetchmail: Subject Alternative Name: ox53
fetchmail: ox53.uni.dtr key fingerprint: 47:A1:55:60:D8:34:22:EF:FD:C5:FE:56:2B:CE:04:33

(my notebook)# fetchmail -v --ssl --check --nodetach --protocol IMAP --all --keep --username test2m@uni.dtr foo.bar
Trying to connect to 10.200.3.53/993...connected.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Uni Test GmbH
fetchmail: Issuer CommonName: Univention Corporate Server Root CA (ID=kL5WjO6C)
fetchmail: Subject CommonName: foo.bar
fetchmail: Subject Alternative Name: foo.bar
fetchmail: Subject Alternative Name: foo
fetchmail: foo.bar key fingerprint: A5:8C:50:7A:9C:B7:27:F0:83:B0:B4:20:C9:4A:5E:0D

Comment 3 Erik Damrose

2019-04-10 14:35:32 CEST

<http://errata.software-univention.de/ucs/4.3/474.html>