[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dovecot
Subject:    Re: [Dovecot] Dovecot SSL limitations
From:       AllenJB <dovecot () allenjb ! me ! uk>
Date:       2009-11-30 21:32:24
Message-ID: 4B1439E8.8020505 () allenjb ! me ! uk
[Download RAW message or body]

Thomas Hummel wrote:
> Hello Timo,
> 
> I'd like to check if my understanding of dovecot-1.2.x's SSL certificate
> handling is correct :
> 
>     SSL does not provide the server any mechanism to choose which certificate
>     it must send relatively to the name the client is using. Thus, if you want to
>     use different certificates, you have to listen to different addresses. This is
>     an SSL limitation, not a dovecot nor IMAP limitation.
> 
>     This is the reason why it's possible to use different certificates for IMAP
>     and POP3.  But it seems to work only with those two :
> 
>     As a matter of fact, even if you listen to different addresses, how would
>     you tell dovecot to send this certificate for this address and that certificate
>     for that address, since there is no IP dependent section (as in apache IP-based
>     virtual host for instance) ? It seems the only way would be to have more than
>     one instance of dovecot (several dovecot with different config files).
> 
> The problem is that some clients may be configured with mail.my.domain, some
> others with imap.my.domain, ...etc... Hence the need to have different
> certificates with those different names as cn.
> 

Possibly off-topic from what the OP wants, but couldn't TLS Server Name
Indication (SNI) be used to overcome the single server certificate
limitation?

AllenJB
[prev in list] [next in list] [prev in thread] [next in thread]