[Dovecot] SSL / TLS

Ed W lists at wildgooses.com
Sun Jul 12 21:21:31 EEST 2009 

Timo Sirainen wrote:
> On Jul 11, 2009, at 1:10 PM, Ed W wrote:
>
>> Actually, I'm coming in rather late, but I thought that was the whole 
>> point of TLS that you could decide what certificate to present AFTER 
>> you knew which client was connecting?  This allows virtual hosting 
>> with a different SSL cert per host (current situation is rather 
>> difficult... I'm using a cert with multiple names on it, but this is 
>> hard to buy)
>
> You mean that there could be multiple hosts in same IP? That extension 
> has been talked about every once in a while, but nothing really ever 
> happens because people just think Outlook is never going to implement 
> it so there's no point in even trying.
>

I meant that you could have one server (one IP) and when a customer 
connects they can connect to mail.theirdomain.com (CNAME or A to 
mail.ourserver.com) and not see warnings about the SSL cert not matching 
the address they are connecting to (ie the generic problem)

Right now it requires a cert containing every possible destination 
server name on the single cert.  This works, but it's hard to buy such 
certs.  TLS (in general) offers the *possibility* to figure out what 
domain the customer is trying to connect to and present the correct cert 
up front.

Sadly it still seems to break for email because you need the customer to 
AUTH before upgrading to SSL and this isn't usually what they do...

By an extension I assume you mean there is actually some standard 
proposed to solve that bit of the puzzle, I wasn't even aware that was 
on the cards?


Anyway, the question was why does TLS exist at all, I presented the 
answer that we have the *possibility* to present one of several certs.  
I think this is a fair justification for the concept to exist.  However, 
I agree that exploiting the potential of TLS is still not there


As an aside, I see several other software projects now enabling the 
compression option when establishing an SSL connection - any chance you 
could look at enabling the relevant lines of code in Dovecot?  We had 
this conversation some months/years back and it appeared simple on the 
dovecot side, but there is of course only still minimal client support 
(but at least we can break the chicken-egg situation)


Cheers

Ed W

More information about the dovecot mailing list