On Wednesday 19 November 2008 14:48:32 Noel Jones wrote: > Mark Watts wrote: > > On Wednesday 19 November 2008 14:00:29 Wietse Venema wrote: > >> Mark Watts: > >>> I think my original question still stands; why do connections to > >>> one server not generate verification messages, while connections > >>> to a third server do. Both remote servers have self-signed ssl > >>> certificates. > >> > >> Presumably, those certificates are signed with different keys. I > >> run tests with self-signed certificates and never see complaints, > >> because the clients know the signing key. > > > > The client (the sending postfix server) in this case does not know about > > *any* signing keys used by the remote servers for their ssl certificates. > > > > My understanding is that the verification failure messages are akin to > > those you would see browsing to an HTTPS:// website using a self-signed > > certificate? > > If so, I know for a fact that the remote server which does not generate > > verification messages is using a self-signed certificate, because I > > created it (and the self-signed CA to go with it). > > > > Now is this the issue; that if the server certificate is signed by a CA > > (regardless of whether that CA is itself self-signed or not), it does not > > trigger verification failure messages? > > > > Mark. > > Did you use the same CA on both servers? Then the certificate > is not unknown. Self-signed certificates verify just fine if > both sites have the same CA.
No. The server I'm in control of is signed by a CA. (This server does not give any verification failure messages) I don't know about the other server. Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer QinetiQ Applied Technologies GPG Key: http://www.linux-corner.info/mwatts.gpg
signature.asc
Description: This is a digitally signed message part.
