tls engine certs signed by Chained Certificate of Authority

[Goetz Babin-Ebell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Paul,
Paul Pruett schrieb:

> I hacked some variations on the files trying to get imap applications to
> realize the root was not the cert for registerfly, but the cert that
> registerfly gave me, and then use server key for that cert...
> but it seems that from the log I cannot get the TLS engine to pick
> the right cert to find key for.
> 
> OR I just do not know how to configure for a Chained Certificate of
> Authority.

try the following patch:
- --- cyrus-imapd-2.2.12/imap/tls.c       2004-05-04 21:47:34.000000000 +0200
+++ cyrus-imapd-2.2.12-new/imap/tls.c   2006-11-12 15:28:05.000000000 +0100
@@ -357,8 +357,8 @@
                          const char *cert_file, const char *key_file)
 {
     if (cert_file != NULL) {
- -       if (SSL_CTX_use_certificate_file(ctx, cert_file,
- -                                        SSL_FILETYPE_PEM) <= 0) {
+       if (SSL_CTX_use_certificate_chain_file(ctx, cert_file,
+                                              SSL_FILETYPE_PEM) <= 0) {
            syslog(LOG_ERR, "unable to get certificate from '%s'", cert_file);
            return (0);
        }

and the cert file must contain:
1. your server cert
2. the intermediate (chain) CA cert(s)
   (in the order lowest cert to top level cert)
3. the root cert (optionally)
in that order.

This requires openssl >= 0.97.

Bye

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFVzGg2iGqZUF3qPYRAr6EAJwLfUA6ckzYyjbKLMnSjCG4R6DZDQCfTK/L
geT2qTJtUWZsNqwyKaI9zF0=
=WedT
-----END PGP SIGNATURE-----