1 |
On Fri, Jun 15, 2007 at 03:54:11PM -0400, Penguin Lover Willie Wong squawked: |
2 |
> But thanks to that, I got on the right direction: turns out that my |
3 |
> department switched from using a self-signed certificate to using one |
4 |
> from IPSCA, so I've been barking up the wrong tree when trying to |
5 |
> solve the problem. The link that I gave was, apparent to me now, old, |
6 |
> and so importing that cert had no impact. I went and imported the |
7 |
> IPSCA root cert and now all's good. |
8 |
|
9 |
What's up with openssl and ca-certificates? |
10 |
|
11 |
Trying to connect to my school's imap server, I get |
12 |
|
13 |
openssl s_client -connect imap.math.princeton.edu:993 |
14 |
<snip> |
15 |
Verify return code: 19 (self signed certificate in certificate chain) |
16 |
|
17 |
But if I issue |
18 |
|
19 |
openssl s_client -connect imap.math.princeton.edu:993 -CApath /etc/ssl/certs/ |
20 |
<snip> |
21 |
Verify return code: 0 (ok) |
22 |
|
23 |
It seems that the openssl s_client doesn't know about the default |
24 |
certs in /etc/ssl/certs (The one in question is IPSCa's root |
25 |
certificate, which is included in the ca-certificates package). |
26 |
|
27 |
I think this is also the root of my problem with fetchmail: I had to |
28 |
include explicitly in .fetchmailrc the line 'sslcertpath |
29 |
/etc/ssl/certs' to have the default set of CAs recognized. |
30 |
|
31 |
Is there a configuration switch somewhere that would let openssl be |
32 |
aware of the root CAs that comes with the ca-certificates package? |
33 |
Else the latter seems rather useless. |
34 |
|
35 |
Best, |
36 |
|
37 |
W |
38 |
-- |
39 |
English lessons for programmers #28: |
40 |
"Fewer" is of type int; whereas "less" is of type double. |
41 |
Sortir en Pantoufles: up 189 days, 20:38 |
42 |
-- |
43 |
gentoo-user@g.o mailing list |