tls_ca_path and tls_ca_file

[Andreas Benzing]

Hello once more,

Goetz Babin-Ebell wrote:
> Andreas Benzing schrieb:
>> Hello,
> Hello Andreas,
> 
>> could please somebody tell me what tls_ca_path is good for if it is
>> somehow ignored in the config file? For other servers putting the
>> different CA-certs in one directory is enough but cyrus needs an extra
>> file with all of them in a single file. Shouldn't this be the sense of
>> tls_ca_path?
> 
> Without looking in the cyrus and the openssl code:
> 
> the tls_ca_path directory is used in certificate verification:
> of the issuer dn of the cert to verify is a checksum calculated,
> this 32 bit value is used as an file name in tls_ca_path to load
> the CA certificate.

Now this and the hint with c_rehash makes things clearer. I didn't know 
that cyrus is only looking for specific filenames. So it works now =)

> Now the tls_ca_path it is primary useful in client configurations,
> because you may have a big number of trusted CA certificates.
> 
> On server side the tls_ca_path is less useful,
> because for you must have the complete list of
> CA certifcates you accept before you start a handshake
> because you send this list (only the subject names) to
> the client saying him which CA certificates you accept
> for client authentication.

Which takes me to the next question that may be in the wrong place here: 
I only came to this problem because when connecting with thunderbird 
there was an error establishing an encrypted connection. After 
investigating the logfiles I found that the server could not verify a 
cert I wanted to use with thunderbird to sign messages.
Now the question is: Why did thunderbird try to authenticate with the 
cert when my server (with the old config) did not have any CA certs at all?

Andreas