TLS error

[Steve Huston]

On Tue, 28 Jan 2003, Paul Christie wrote:
> imap 2.0.17, openssl 0.9.6d
> Clients (Pine, Mulberry) connecting using STARTTLS generate messages like 
> the one below. So it looks as though the server is looking for local 
> certificates. SSL connections cause no such error message.
> All seems to work but I would like to know why this happens. Since there 
> seems to very little correspondence on this I suspect I have configured 
> something incorrectly. Anyone else seen this?
> imapd[17369]: [ID 432150 local6.error] TLS engine: No CA file specified. 
> Client side certs may not work

I get this one constantly; it's Mostly Harmless.

If the client machine was to provide a cert that would normally facilitate
authentication (ie, instead of using a password you were using client-side
certs, signed by your own CA or by a higher authority), then Cyrus would need
to have a copy of the signer's cert (the CA file) in order to verify the
signature.

Since you're probably using STARTTLS (and/or SSL) simply for encryption, you
don't really care if the client sends a cert, and you wouldn't authenticate
against it anyway, so the fact that Cyrus can't verify a client's cert is no
big deal.

Interestingly, I had tried to set this up properly with 2.1.11, using the
ca-bundle that comes with RedHat 8.0's openssl RPM, and the TLS engine would
fail every time I used STARTTLS on a connection (but SSL worked just fine).
Confused the hell outta me until I removed the offending line from the config
file, and just let it keep complaining about not having a CA file.

-- 
Steve Huston - Unix Systems Administrator, Dept. of Astrophysical Sciences
 Princeton University  |     ICBM Address: 40.346525   -74.651285
   126 Peyton Hall     |"On my ship, the Rocinante, wheeling through
 Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
   (609) 258-7375      | headlong into mystery."  -Rush, 'Cygnus X-1'