Il giorno 26/gen/09, alle ore 05:14, Crypto Sal ha scritto:
Do any other clients (s_client, web browser, etc) exhibit the same behavior or an error message? If yes, what's the error response?
Well, I currently do not know how to apply that certificate to an HTTP server to test it with browsers. Both Firefox and IE refuse to connect on POPS port 995, of course.
For s_client see below.
When you use s_client to connect to your mail server does it pass verification through both ways, IP and DNS?
I never used s_client before, I tried it now, but it doesn't seem to care at all about the CN difference: as long as I can see, and as long as I pass it the CA cert with the -CAfile option, it doesn't return any verification error, not even when I connect to the server with a totally different name from the ones stored in CN or subjectAltName!
It just outputs "verify return:1" for both the server and CA certificates which build up the chain.
So, s_client seems a bit too relaxed to me, or am I missing anything?
Can you do an s_client and dump the cert to OpenSSL's x509 and read the cert? Do the SubjectAltNames appear in the "X509v3 Subject Alternative Name" section when doing so?
How can I dump the certificate using s_client? I can't see anything about this in its man page.
What is the *exact* error you get with the Microsoft Products when you use this format? Hostname Mismatch? Untrusted Cert?
I'd say Hostname Mismatch. Both OE and Outlook just show a dialog containing no deep tech info, but they simply complain about the name of the server not being the same contained in the provided certificate.
Thanks. -- Ciao, Marco. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
