tls self-signed certificates
Craig White
craigwhite at azapple.com
Wed Oct 17 21:55:43 EDT 2007
On Tue, 2007-10-16 at 08:23 -0700, Craig White wrote:
> How do people generate self-signed certificates as this no longer works
> for me...
>
> #### generate cyrus certificate ####
> openssl req -config /etc/ssl/openssl.cnf \
> -new -x509 -nodes \
> -out /etc/ssl/cyrus-global.pem \
> -keyout /etc/ssl/cyrus-global.pem \
> -days 3650
> openssl gendh 512 >> /etc/ssl/cyrus-global.pem
>
> and I used to use this cyrus-global.pem for both tls_cert_file and
> tls_key_file...
>
> tls_cert_file: /etc/ssl/cyrus-global.pem
> tls_key_file: /etc/ssl/cyrus-global.pem
> tls_ca_file: /etc/ssl/private/cacert.pem
>
> but this fails...
> Oct 16 08:22:47 spot imaps[7905]: imaps TLS negotiation failed:
> ip68-230-71-199.ph.ph.cox.net [68.230.71.199]
> Oct 16 08:22:47 spot imaps[7905]: Fatal error: tls_start_servertls()
> failed
>
> suggestions anyone?
----
OK - what I discovered was that TLS works with this setup (telnet
localhost 143)
IMAP/SSL doesn't seem to work when you 'telnet localhost 993' but on a
client that is forgiving for self-signed certificates, it does actually
work. So much for my testing methodology.
Sorry for the noise
Craig
More information about the Info-cyrus
mailing list