297676Re: 19:self signed certificate in certificate chain with Comodo PositiveSSL certificate in Postfix 2.7.0
- Jan 22, 2014On Wed, Jan 22, 2014 at 04:26:34PM -0500, Ben Johnson wrote:
> > No -CAfile or -CApath options in this command-line.The return code from the verify callback is not the certificate
> I see. I had actually tried adding a -CApath, but I didn't think it was
> working correctly because no matter what path I supplied, the
> certificate always ended with (what I understand to be) a "success"
> Verify return code: 0 (ok)
verification status. It just means the client is willing to keep
> Is there a rational explanation for this behavior? I would expect theYou have not told s_client to abort the connection when the peer
> openssl executable to complain that the supplied CApath is invalid
> (doesn't exist), and for the TLS session to end with something other
> than "Verify return code: 0 (ok)".
certificate is invalid. Since s_client() is a testing tool, it is
most useful when the certificate is invalid. So far nothing unexpected.
> $ openssl s_client -connect example.com:25 -starttls smtp -CAfile /fake/fileSetting CApath causes OpenSSL to search for certificates with
> I see the type of output that I would expect in the former scenario with
filenames that are constructed by appending subject DN hashes to
the CApath prefix. It is OK for these to not exist, so no error
reports when the CApath directory is bogus. Since CAfile is a
fixed location you do get error reports for opening that.
Don't set bogus values of CApath.
> In other words, -CApath doesn't really seem to work. At all. Unless I amIt does, but you need to know about c_rehash(1).
> misunderstanding something fundamental.
> > There is no problem.There is still no problem. You're a little-bit poorer after paying
> That's a relief! Looks like I am in good shape here, but I am curious
> about the -CApath issue described above, nonetheless.
for a certificate, but everything is working correctly.
- << Previous post in topic Next post in topic >>