-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andreas Benzing schrieb: > Hello, Hello Andreas, > could please somebody tell me what tls_ca_path is good for if it is > somehow ignored in the config file? For other servers putting the > different CA-certs in one directory is enough but cyrus needs an extra > file with all of them in a single file. Shouldn't this be the sense of > tls_ca_path? Without looking in the cyrus and the openssl code: the tls_ca_path directory is used in certificate verification: of the issuer dn of the cert to verify is a checksum calculated, this 32 bit value is used as an file name in tls_ca_path to load the CA certificate. This way you don't need beforehand to load all certificates that you may need to verify a peer. On the other hand the certificates in tls_ca_file are loaded before the TLS handshake is done and directly used to verify the peer. (This file is also used to build the servers CA certificate chain that is sent to the client) Now the tls_ca_path it is primary useful in client configurations, because you may have a big number of trusted CA certificates. On server side the tls_ca_path is less useful, because for you must have the complete list of CA certifcates you accept before you start a handshake because you send this list (only the subject names) to the client saying him which CA certificates you accept for client authentication. You can still use it for intermediate CA certificates and CRLs. I don't know how other servers handle the tls_ca_path. Perhaps they iterate over the certificate files in it to build the client list or their client verification code is f*ed up and only seem to work... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFK/IG2iGqZUF3qPYRAgLiAJ0YDacJ3wH8ZzeeON2KlT2L6h57awCfU2r0 R74oV6cOAPkNOaXGB0EYxgE= =XwoO -----END PGP SIGNATURE----- ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
