On Mon, May 16, 2005 at 11:21:12AM -0400, Roberto C. Sanchez wrote: > Quoting Jonathan McDowell <[EMAIL PROTECTED]>: > >On Mon, May 16, 2005 at 09:27:23AM -0400, Roberto C. Sanchez wrote: > >>Jonathan McDowell wrote: > >>> Hmmmm. I run with my own CA signed cert and had no problems with a > >>> Woody -> Sarge upgrade of sslwrap on Friday. Can you send me your > >>> /etc/sslwrap/debian_conf and the output of > >>> "grep sslwrap /etc/inetd.conf" (assuming you're running it from inetd)? > >>Did you want to see what they looked like before or after the upgrade? > > > >Both, if possible. Whatever you've got easily would be a good start > >though. [both the same and as follows:] > # grep sslwrap inetd.conf > ssmtp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sslwrap -cert > /etc/ssl/server_key_and_cert.pem -addr 127.0.0.1 -port 25 > imaps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sslwrap -cert > /etc/ssl/server_key_and_cert.pem -addr 127.0.0.1 -port 143 > > /etc/sslwrap/debian_config: > run_mode="inetd" > used_addr="127.0.0.1" > with_certificate="true" > certfile="/etc/ssl/server_key_and_cert.pem" > overwrite_corrupted_certfile="false" > check_cert="true" > ports="imaps, ssmtp"
> I no longer have sslwrap installed since postfix-tls now properly grabs port > 465 without dying and cyrus21 supports imaps (though last night I switched > to courier, which also natively does imaps). Yes, these days sslwrap is thankfully not so necessary as applications are now able to link against the crypto code themselves. > The problem, if you refer to my original mail, is that something about > the CA was confusing sslwrap, which I believe tried to generate its > own cert. Is your root cert installed into the openssl framework (ie plumbed into /etc/ssl/certs)? I think if that's not the case then as you have "check_cert" set to true it'll fail to be able to validate the cert. I'm surprised you haven't seen errors about this before on boot however. J. -- /-\ | "Bother", said Pooh, "Who put sand |@/ Debian GNU/Linux Developer | in the Vaseline?!?". \- | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
