Goetz Babin-Ebell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > brian schrieb: > | Goetz Babin-Ebell wrote: > |> brian schrieb: > |> | brian wrote: > > |> |> I'm trying (and failing) to set up TLS and hope someone might be > able to > |> |> shed some light on my problem. Authentication failed so I checked > |> |> maillog and found: > |> |> > |> |> imap[30288]: TLS server engine: cannot load CA data > |> This ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Looking in the last source I have here (2.3.8), I'm definitively not > happy about the code that generates that message: > * If you don't do SSL client authentication, this message > ~ is only confusing noise. > * If you do SSL client authentication this message is not an > ~ info but an error and should be logged as one. > I opened a ticket and sent a patch in 2005. > Unfortunately it wasn't accepted (at least the last time I checked...) > > |> |> imap[30288]: unable to get certificate from > |> |> '/etc/pki/tls/certs/imapcert.pem' > |> and this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > |> Is your first hint. > | > | Yes, it was the first thing I noticed too. However, the fact that that > | file was easily readable confused me as to what the problem actually > | was. I thought that perhaps the file, while readable, contained garbage. > > There is a big difference between CA certificates and > end entity (server) certificates. > Here cyrus tried to load a CA certificate, > but imapcert.pem contains only the server certificate. > > OK, I was wrong: > these two error lines are unrelated. > The second failing because the first failed may be an result > of cyrus not clearing the OpenSSL error stack between > the two lines. > > Any developer listening ? > calling ERR_clear_error(); on entering set_cert_stuff() (tls.c) > should fix this... > (If you're building cyrus from source, > ~ you could insert that line and try again) That's what I was wondering, also, after coming across this last night: http://weblog.elwing.org/elwing/index.php/archive/2007/07/18/cyrus-imap-and-certificates/ > > |> I wish people would stop using self signed certificates in their > |> tutorials. > |> Creating a CA and using it to sign the certificates are > |> just two to three steps more and it gives people a hint how > |> to set up things correctly... > | > | Maybe I've got the terminology wrong then. By "self-signed" I mean that > | I did create my own CA, then created and signed a cert with that. > | > | # CA_nodes -newca > | # CA_nodes -newreq > | # CA_nodes -sign > > A self signed certificate is a certificate that is signed by the > same key that is in the certificate. > > What you have created is a normal certificate that > was signed by a local CA. > > | I'm not aware of any other kind of "self-signed" certificate. I thought > | it was either signed by Thawte, etc. or by one's own CA. > > ... or signed by the same key that is in the certificate > ~ (signed by itself) Thank you. I think it's becoming clearer now. > > |> | [abbreviated output follows] > |> | > |> | CONNECTED(00000003) > |> | depth=1 /C=CA/ST=Ontario/O=zijn > |> | digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN > |> | verify return:1 > |> | depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn > |> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN > |> | verify return:1 > |> | --- > |> | Certificate chain > |> | 0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn > |> | digital/OU=mail/CN=mail.MYDOMAIN/emailAddress=postmaster@MYDOMAIN > |> | i:/C=CA/ST=Ontario/O=zijn > |> | digital/OU=server/CN=MYDOMAIN/emailAddress=root@MYDOMAIN > |> OK, this is NOT a self signed certificate. > |> > | What tells you that? > > In a self signed certificate issuer and subject name are identical. Right. This makes sense now I know what to look for. > > BTW: > > If you have your server certificate directly signed by your > root (CA) certificate and you do not want to use client authentication, > you can configure cyrus imapd to not use any CA certificates at all: > > The client needs to know the root certificate anyway to determine if > it may trust it, so you gain nothing by transmitting it in SSL handshake... > > > Goetz Thanks very much for your replies. I'm gaining a better understanding of this. Now, back to the docs ... b ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
