On 20 Mar 2008, at 13:07, Jorey Bump wrote: > Andrew Morgan wrote, at 03/20/2008 12:20 PM: >> Maybe the format of your CA bundle file is not what openssl >> expects? Do >> you get valid output when you run: >> >> openssl x509 -in /etc/ssl/certs/<your-ca-bundle> -text > I'm not sure. There are no errors, but it only displays the first > certificate in the bundle. This is true of my local bundle and any > bundle included with the system by various applications. The SSL_CTX_load_verify_locations() function loads everything in the file, tho. > On a lark, I pointed tls_ca_file to an old root certificate I once > needed for a chained root. It contains only a single certificate, and > STARTTLS connections on port 143 work when it is defined. This suggests a specific problem with the cert bundle you're using. > Why is the CA file checked if no > client cert is presented (unless it's needed for SASL-IR)? I'll > have to > search the changelog or code when I have the time. The way the code is currently written, if you're using imaps, the server will be implicitly prepared to accept a client cert. Of course, if no CAfile is defined, you'll get that spurious error! There seems to be an assuption that CAfile implies something different than CApath -- it doesn't. I think the code should be changed to not tell the client that a cert will be accepted if neither CAfile nor CApath is defined. Does your Thunderbird have access to any client certificates? Since the server will advertise that it accepts them, even tho it probably can't use them, I wonder if this isn't the cause of your version mismatch error message. :wes ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
