tls_ca_path and tls_ca_file

Goetz Babin-Ebell goetz at shomitefo.de
Tue Oct 10 19:17:24 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Benzing schrieb:
> Hello once more,
Hello Andreas,

> Goetz Babin-Ebell wrote:
>> Andreas Benzing schrieb:
>>
>> the tls_ca_path directory is used in certificate verification:
>> of the issuer dn of the cert to verify is a checksum calculated,
>> this 32 bit value is used as an file name in tls_ca_path to load
>> the CA certificate.
> 
> Now this and the hint with c_rehash makes things clearer. I didn't know
> that cyrus is only looking for specific filenames. So it works now =)

the 32 Bit hash is the only way to determine the file name
from the subject / issuer DN...

> Which takes me to the next question that may be in the wrong place here:
> I only came to this problem because when connecting with thunderbird
> there was an error establishing an encrypted connection. After
> investigating the logfiles I found that the server could not verify a
> cert I wanted to use with thunderbird to sign messages.
> Now the question is: Why did thunderbird try to authenticate with the
> cert when my server (with the old config) did not have any CA certs at all?

Accepting client authentication without providing the list of
acceptable CA certificates is a misconfiguration that is not
common but happens.

My knowledge of the TLS specification is not that deep to know
how the client and sever SHOULD act in this situation,
but some clients pick a client certificate and send it to
the server.
OpenSSL allows this misconfiguration but requires that
the client certificate is verified by callbacks provided
by the user of the library.

To make it clear:

Server: "I accept client certificate but won't tell you
         which CAs I trust"
Client: "OK, let's try this one..."
Server: "Sorry, I don't know your issuer."

Bye

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFLCoE2iGqZUF3qPYRApdVAKCBdoymVE/4RcyYC2sjm7DWMhvqrQCeK6Ci
tCfKPLWyb6ifbDlx1O//TBM=
=DwhJ
-----END PGP SIGNATURE-----

More information about the Info-cyrus mailing list