Mark Watts wrote:
On Wednesday 19 November 2008 14:00:29 Wietse Venema wrote:
Mark Watts:
I think my original question still stands; why do connections to
one server not generate verification messages, while connections
to a third server do. Both remote servers have self-signed ssl
certificates.
Presumably, those certificates are signed with different keys. I
run tests with self-signed certificates and never see complaints,
because the clients know the signing key.
The client (the sending postfix server) in this case does not know about *any*
signing keys used by the remote servers for their ssl certificates.
My understanding is that the verification failure messages are akin to those
you would see browsing to an HTTPS:// website using a self-signed
certificate?
If so, I know for a fact that the remote server which does not generate
verification messages is using a self-signed certificate, because I created
it (and the self-signed CA to go with it).
Now is this the issue; that if the server certificate is signed by a CA
(regardless of whether that CA is itself self-signed or not), it does not
trigger verification failure messages?
Mark.
Did you use the same CA on both servers? Then the certificate
is not unknown. Self-signed certificates verify just fine if
both sites have the same CA.
--
Noel Jones
