| 1 |
On Fri, Jun 15, 2007 at 03:54:11PM -0400, Penguin Lover Willie Wong squawked: |
| 2 |
> But thanks to that, I got on the right direction: turns out that my |
| 3 |
> department switched from using a self-signed certificate to using one |
| 4 |
> from IPSCA, so I've been barking up the wrong tree when trying to |
| 5 |
> solve the problem. The link that I gave was, apparent to me now, old, |
| 6 |
> and so importing that cert had no impact. I went and imported the |
| 7 |
> IPSCA root cert and now all's good. |
| 8 |
|
| 9 |
What's up with openssl and ca-certificates? |
| 10 |
|
| 11 |
Trying to connect to my school's imap server, I get |
| 12 |
|
| 13 |
openssl s_client -connect imap.math.princeton.edu:993 |
| 14 |
<snip> |
| 15 |
Verify return code: 19 (self signed certificate in certificate chain) |
| 16 |
|
| 17 |
But if I issue |
| 18 |
|
| 19 |
openssl s_client -connect imap.math.princeton.edu:993 -CApath /etc/ssl/certs/ |
| 20 |
<snip> |
| 21 |
Verify return code: 0 (ok) |
| 22 |
|
| 23 |
It seems that the openssl s_client doesn't know about the default |
| 24 |
certs in /etc/ssl/certs (The one in question is IPSCa's root |
| 25 |
certificate, which is included in the ca-certificates package). |
| 26 |
|
| 27 |
I think this is also the root of my problem with fetchmail: I had to |
| 28 |
include explicitly in .fetchmailrc the line 'sslcertpath |
| 29 |
/etc/ssl/certs' to have the default set of CAs recognized. |
| 30 |
|
| 31 |
Is there a configuration switch somewhere that would let openssl be |
| 32 |
aware of the root CAs that comes with the ca-certificates package? |
| 33 |
Else the latter seems rather useless. |
| 34 |
|
| 35 |
Best, |
| 36 |
|
| 37 |
W |
| 38 |
-- |
| 39 |
English lessons for programmers #28: |
| 40 |
"Fewer" is of type int; whereas "less" is of type double. |
| 41 |
Sortir en Pantoufles: up 189 days, 20:38 |
| 42 |
-- |
| 43 |
gentoo-user@g.o mailing list |
Archives