Lutz -- you rock!! That fixed the problem!!
Can someone explain why the server has to pass along the certificates from
the CAs though? I don't quite understand. I'm new to this all. Isn't it
up to the server to send out just the certificate, and then up to the
client to do the checks? I mean, isn't it counter-productive -- couldn't
the server (be it imap or http) somehow send along fake CA certificates
that make the real certificate look as if it were truly signed when it's
not?
jas.
On Thu, 7 Dec 2000, Lutz Jaenicke wrote:
> On Thu, Dec 07, 2000 at 09:17:11AM -0500, Jason Keltz wrote:
> > Finally, if I try to connect to the IMAP SSL server with Netscape
> > Communicator v4.75 and v6 -- the *SAME* Netscape Communicator that talks
> > to our SSL enabled web server without complaining suddenly says that it
> > does not does not recognize the authority who signed its Certificate".
> > If I continue, the session is indeed encrypted, but I specifically
> > purchased a certificate for the mail server so that the signer would be
> > trusted, and that message wouldn't come up -- otherwise, I could have just
> > use a self-signed certificate! I have spent an entire day trying to
> > figure out why this happens, and I cannot. Does anyone have any ideas?
> >
> > The only fishy thing to me is that in the Netscape signer list, I see:
> > Equifax Premium CA
> > Equifax Secure CA
> > *not* Equifax Secure E-Business CA-2
> >
> > But Netscape happily accepts the web connection, so it must be using a
> > fingerprint that is the same as one of the other two because all my other
> > certificate lists (other than "Signers") are empty.
> >
> > Any help you could provide would be (very) much appreciated.
>
> Just a quick guess (must give a lecture in 10 minutes :-):
> imap-2000 has no provisions to load the CA file, so possibly the certificate
> chain is incomplete. Apache+SSL can complete it's cert chain from your
> CA storage.
> I have changed my auth_ssl.c from
> SSL_CTX_use_certificate_file (stream->context,tmp,SSL_FILETYPE_PEM)
> to
> SSL_CTX_use_certificate_chain_file (stream->context,tmp)
> and have attached the CA certificates to the server certificate...
>
> Read you later,
> Lutz
> --
> Lutz Jaenicke [EMAIL PROTECTED]
> BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
