Andrew Morgan wrote, at 03/20/2008 12:20 PM: > Just for reference, I'm using the following TLS settings with 2.3.11 > just fine: > > tls_ca_file: /etc/ssl/certs/thawte-premium.pem > tls_ca_path: /etc/ssl/certs > tls_cert_file: /etc/ssl/certs/imap.onid.oregonstate.edu.crt > tls_key_file: /etc/ssl/certs/imap.onid.oregonstate.edu.key > > I only bothered adding tls_ca_file because I kept getting worthless log > messages on every new connection: > > TLS server engine: No CA file specified. Client side certs may not work Hah, now I'm getting them, too. :) > We are not using SSL client certificates, so tls_ca_file is irrelevant > in our situation. > > Maybe the format of your CA bundle file is not what openssl expects? Do > you get valid output when you run: > > openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text I'm not sure. There are no errors, but it only displays the first certificate in the bundle. This is true of my local bundle and any bundle included with the system by various applications. On a lark, I pointed tls_ca_file to an old root certificate I once needed for a chained root. It contains only a single certificate, and STARTTLS connections on port 143 work when it is defined. So, maybe bundles are no longer acceptable in tls_ca_file? I guess if one needs to use client certificates, tls_ca_file should contain a single root? If one needed to support multiple roots, perhaps use tls_ca_path instead? I guess I'll deal with those issues as they come, since I apparently don't need to define tls_ca_(file|path) at all for normal operation (unless I want to eliminate annoying log messages). Thanks for the additional info, it helped reveal more details, but it would sure be nice to see some clarifying documentation. I still don't know why the behaviour changed between 2.3.7 to 2.3.11, and if it represents a fix or a potential bug. Why is the CA file checked if no client cert is presented (unless it's needed for SASL-IR)? I'll have to search the changelog or code when I have the time. ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
