Re: [Exim] TLS and Intermediate (root) certificates

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Philip Hazel
Dátum:  
Címzett: William Gerken
CC: exim-users
Új témák: Re: [Exim] TLS and Intermediate (root) certificates
Tárgy: Re: [Exim] TLS and Intermediate (root) certificates
On Tue, 13 Nov 2001, William Gerken wrote:

[reformatted to a shorter line length]

> I have successfully configured Exim to act as an TLS server for

incoming connections from Outlook and Netscape clients. This worked very
smoothly expect for the small detail that the clients are being prompted
to verify the certificate, with a message along the lines of "A
certificate chain processed correctly, but terminated in a root
certificate which is not trusted by the trust provider". Now the
certificate is a valid cert signed by Equifax and it verifies correctly
on the server using the openssl utilities. I believe I have tracked
the problem down to a requirement for sending the intermediate cert that
was supplied by Equifax to the client along with the servers cert,
however unlike Apache which supplies the directives
"SSLCACertificateFile" and "SSLCertificateChainFile", I can not find
this functionality in Exim.


That's because I'm extremely ignorant about SSL and how certificates
work. The code for TLS support in Exim was originally implemented by
somebody who gave it to me for incorporating and tidying. I seem to
recall that the documentation for OpenSSL was not very helpful, so I
just implemented something that appeared to work.

So the bottom line is that I don't know what this functionality is or
how to implement it. Presumably there's some function in OpenSSL that
one can call in order pass over the name of a file that matches
"SSLCertificateChainFile". I'm assuming that "SSLCACertificateFile" is
the equivalent of Exim's existing tls_certificate option (which causes
the SSL_CTX_use_certificate_file() function to be run).

There seem to be some functions in OpenSSL with the word "chain" in
their title, but I'm not at all sure what they do.

Anybody on this list an SSL expert?


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.