tls_ca_path and tls_ca_file
Goetz Babin-Ebell
goetz at shomitefo.de
Tue Oct 10 15:18:30 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andreas Benzing schrieb:
> Hello,
Hello Andreas,
> could please somebody tell me what tls_ca_path is good for if it is
> somehow ignored in the config file? For other servers putting the
> different CA-certs in one directory is enough but cyrus needs an extra
> file with all of them in a single file. Shouldn't this be the sense of
> tls_ca_path?
Without looking in the cyrus and the openssl code:
the tls_ca_path directory is used in certificate verification:
of the issuer dn of the cert to verify is a checksum calculated,
this 32 bit value is used as an file name in tls_ca_path to load
the CA certificate.
This way you don't need beforehand to load all certificates
that you may need to verify a peer.
On the other hand the certificates in tls_ca_file are loaded
before the TLS handshake is done and directly used to verify
the peer.
(This file is also used to build the servers CA certificate
chain that is sent to the client)
Now the tls_ca_path it is primary useful in client configurations,
because you may have a big number of trusted CA certificates.
On server side the tls_ca_path is less useful,
because for you must have the complete list of
CA certifcates you accept before you start a handshake
because you send this list (only the subject names) to
the client saying him which CA certificates you accept
for client authentication.
You can still use it for intermediate CA certificates
and CRLs.
I don't know how other servers handle the tls_ca_path.
Perhaps they iterate over the certificate files in it
to build the client list or their client verification code
is f*ed up and only seem to work...
Bye
Goetz
- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFK/IG2iGqZUF3qPYRAgLiAJ0YDacJ3wH8ZzeeON2KlT2L6h57awCfU2r0
R74oV6cOAPkNOaXGB0EYxgE=
=XwoO
-----END PGP SIGNATURE-----
More information about the Info-cyrus
mailing list