From: brian (no email)
Date: Sat Apr 12 2008 - 12:33:09 EDT
Goetz Babin-Ebell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> brian schrieb:
> | Goetz Babin-Ebell wrote:
> |> brian schrieb:
> |> | brian wrote:
>
> |> |> I'm trying (and failing) to set up TLS and hope someone might be
> able to
> |> |> shed some light on my problem. Authentication failed so I checked
> |> |> maillog and found:
> |> |>
> |> |> imap[30288]: TLS server engine: cannot load CA data
> |> This ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Looking in the last source I have here (2.3.8), I'm definitively not
> happy about the code that generates that message:
> * If you don't do SSL client authentication, this message
> ~ is only confusing noise.
> * If you do SSL client authentication this message is not an
> ~ info but an error and should be logged as one.
> I opened a ticket and sent a patch in 2005.
> Unfortunately it wasn't accepted (at least the last time I checked...)
>
> |> |> imap[30288]: unable to get certificate from
> |> |> '/etc/pki/tls/certs/imapcert.pem'
> |> and this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> |> Is your first hint.
> |
> | Yes, it was the first thing I noticed too. However, the fact that that
> | file was easily readable confused me as to what the problem actually
> | was. I thought that perhaps the file, while readable, contained garbage.
>
> There is a big difference between CA certificates and
> end entity (server) certificates.
> Here cyrus tried to load a CA certificate,
> but imapcert.pem contains only the server certificate.
>
> OK, I was wrong:
> these two error lines are unrelated.
> The second failing because the first failed may be an result
> of cyrus not clearing the OpenSSL error stack between
> the two lines.
>
> Any developer listening ?
> calling ERR_clear_error(); on entering set_cert_stuff() (tls.c)
> should fix this...
> (If you're building cyrus from source,
> ~ you could insert that line and try again)
That's what I was wondering, also, after coming across this last night:
http://weblog.elwing.org/elwing/index.php/archive/2007/07/18/cyrus-imap-and-certificates/
>
> |> I wish people would stop using self signed certificates in their
> |> tutorials.
> |> Creating a CA and using it to sign the certificates are
> |> just two to three steps more and it gives people a hint how
> |> to set up things correctly...
> |
> | Maybe I've got the terminology wrong then. By "self-signed" I mean that
> | I did create my own CA, then created and signed a cert with that.
> |
> | # CA_nodes -newca
> | # CA_nodes -newreq
> | # CA_nodes -sign
>
> A self signed certificate is a certificate that is signed by the
> same key that is in the certificate.
>
> What you have created is a normal certificate that
> was signed by a local CA.
>
> | I'm not aware of any other kind of "self-signed" certificate. I thought
> | it was either signed by Thawte, etc. or by one's own CA.
>
> ... or signed by the same key that is in the certificate
> ~ (signed by itself)
Thank you. I think it's becoming clearer now.
>
> |> | [abbreviated output follows]
> |> |
> |> | CONNECTED(00000003)
> |> | depth=1 /C=CA/ST=Ontario/O=zijn
> |> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
> |> | verify return:1
> |> | depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn
> |> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
> |> | verify return:1
> |> | ---
> |> | Certificate chain
> |> | 0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn
> |> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster at MYDOMAIN
> |> | i:/C=CA/ST=Ontario/O=zijn
> |> | digital/OU=server/CN=MYDOMAIN/emailAddress=root at MYDOMAIN
> |> OK, this is NOT a self signed certificate.
> |>
> | What tells you that?
>
> In a self signed certificate issuer and subject name are identical.
Right. This makes sense now I know what to look for.
>
> BTW:
>
> If you have your server certificate directly signed by your
> root (CA) certificate and you do not want to use client authentication,
> you can configure cyrus imapd to not use any CA certificates at all:
>
> The client needs to know the root certificate anyway to determine if
> it may trust it, so you gain nothing by transmitting it in SSL handshake...
>
>
> Goetz
Thanks very much for your replies. I'm gaining a better understanding of
this. Now, back to the docs ...
b
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|