Hello once more,
Goetz Babin-Ebell wrote:
Andreas Benzing schrieb:
Hello,
Hello Andreas,
could please somebody tell me what tls_ca_path is good for if it is
somehow ignored in the config file? For other servers putting the
different CA-certs in one directory is enough but cyrus needs an extra
file with all of them in a single file. Shouldn't this be the sense of
tls_ca_path?
Without looking in the cyrus and the openssl code:
the tls_ca_path directory is used in certificate verification:
of the issuer dn of the cert to verify is a checksum calculated,
this 32 bit value is used as an file name in tls_ca_path to load
the CA certificate.
Now this and the hint with c_rehash makes things clearer. I didn't know
that cyrus is only looking for specific filenames. So it works now =)
Now the tls_ca_path it is primary useful in client configurations,
because you may have a big number of trusted CA certificates.
On server side the tls_ca_path is less useful,
because for you must have the complete list of
CA certifcates you accept before you start a handshake
because you send this list (only the subject names) to
the client saying him which CA certificates you accept
for client authentication.
Which takes me to the next question that may be in the wrong place here:
I only came to this problem because when connecting with thunderbird
there was an error establishing an encrypted connection. After
investigating the logfiles I found that the server could not verify a
cert I wanted to use with thunderbird to sign messages.
Now the question is: Why did thunderbird try to authenticate with the
cert when my server (with the old config) did not have any CA certs at all?
Andreas
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
