On Thu, Dec 07, 2000 at 09:17:11AM -0500, Jason Keltz wrote:
> Finally, if I try to connect to the IMAP SSL server with Netscape
> Communicator v4.75 and v6 -- the *SAME* Netscape Communicator that talks
> to our SSL enabled web server without complaining suddenly says that it
> does not does not recognize the authority who signed its Certificate".
> If I continue, the session is indeed encrypted, but I specifically
> purchased a certificate for the mail server so that the signer would be
> trusted, and that message wouldn't come up -- otherwise, I could have just
> use a self-signed certificate! I have spent an entire day trying to
> figure out why this happens, and I cannot. Does anyone have any ideas?
>
> The only fishy thing to me is that in the Netscape signer list, I see:
> Equifax Premium CA
> Equifax Secure CA
> *not* Equifax Secure E-Business CA-2
>
> But Netscape happily accepts the web connection, so it must be using a
> fingerprint that is the same as one of the other two because all my other
> certificate lists (other than "Signers") are empty.
>
> Any help you could provide would be (very) much appreciated.
Just a quick guess (must give a lecture in 10 minutes :-):
imap-2000 has no provisions to load the CA file, so possibly the certificate
chain is incomplete. Apache+SSL can complete it's cert chain from your
CA storage.
I have changed my auth_ssl.c from
SSL_CTX_use_certificate_file (stream->context,tmp,SSL_FILETYPE_PEM)
to
SSL_CTX_use_certificate_chain_file (stream->context,tmp)
and have attached the CA certificates to the server certificate...
Read you later,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
