what problem with startssl.com? lots of people use them for a long time with no problem
On 2/11/15, Daniel Dickinson <dove...@daniel.thecshore.com> wrote: > Hi all, > > As I reported earlier (with a typo in the work [BUG]) client > certification validation *does not* work even if you do everything > exactly according to all documentation and attempts at helpful advice. > > I have seen this issue with both startssl.com and self-signed > certificates, and based on what I've seen from searching the web, this > is a problem that has gotten little attention because most people don't > bother, but are more than willing to give out useless advice on how to > make it work. > > Furthermore the issue does NOT occur with the cyrus-imap mail server, so > it is definitely a server-side issue. > > The actual issue is that the code for calling OpenSSL that constructs > the client certificate validation is in fact WRONG. > > I don't have a perfect patch as I was mostly interested in getting it > working for my needs and didn't bother with constructing the list of CA > names to send to the client, preferring to let OpenSSL handle all that > sort of thing. > > What it comes down to is that the code, which probably worked at one > point, was not correctly updated at some point and since then client > side certificate validation has been BROKEN. > > I have patched against 2.2.9, however I have seen this problem in the > versions in both Debian Wheezy and Debian Jessie as well. > > As you will see from the patch (which is an attachment as people tend to > complain that patches get mangled when you inline them, and even if I > have a good client I've gotten heck because the receiver didn't. > > Regards, > > Daniel > >
