Loading ...
Sorry, an error occurred while loading the content.

297677Re: 19:self signed certificate in certificate chain with Comodo PositiveSSL certificate in Postfix 2.7.0

Expand Messages
  • Viktor Dukhovni
    Jan 22, 2014
      On Wed, Jan 22, 2014 at 09:40:39PM +0000, Viktor Dukhovni wrote:

      > > Verify return code: 0 (ok)
      >
      > The return code from the verify callback is not the certificate
      > verification status. It just means the client is willing to keep
      > going.

      Sorry, small correction, in s_client when you see:

      ...
      verify error:num=20:unable to get local issuer certificate
      verify return:1
      depth=0 CN = mail.example.com
      verify error:num=27:certificate not trusted
      verify return:1
      depth=0 CN = mail.example.com
      verify error:num=21:unable to verify the first certificate
      verify return:1
      ---
      ...
      Compression: 1 (zlib compression)
      Start Time: 1390431462
      Timeout : 300 (sec)
      Verify return code: 21 (unable to verify the first certificate)

      Indeed the final "Verify return code" is the certificate verification
      status. It is the earlier "verify return" messages that show the
      callback processing.

      So with "Verify return code: 0 (ok)", you must have specified a
      usable CAfile or the system default location had the requisitie
      root CA.

      --
      Viktor.
    • Show all 7 messages in this topic