Re: [exim] Ignoring SSL-Errors on self signed certificates

Top Page
Delete this message
Reply to this message
Author: Chris Siebenmann
Date:  
To: Juergen Edner
CC: exim-users, cks
Subject: Re: [exim] Ignoring SSL-Errors on self signed certificates
> > All works as expected, but the Servers have just self signed
> > certificates and when the second Server sends an E-Mail I always get
> > this warning:
> >
> > SSL verify error: depth=0 error=self signed certificate
> > cert=/C=DE/ST=Sachsen/L=Dresden/O=Luca
> > Bertoncello/CN=*.lucabert.de/emailAddress=webmaster@???
> >
> > This is normal, of course, but I'd like to suppress this warning, in
> > order to have a cleaner log.
>
> why is it normal to get a SSL verification error when using
> a self signed certificate?
>
> A self-signed certificate is not that different from official
> certificates. You have to make sure that the certificate chain
> of the self-signed certificate can be verified.


True self-signed certificates don't have a certificate chain. To set
up a certificate chain, you need to create a local CA and then sign
end certificates with it, which is somewhat more complicated than just
generating certificates and using them.

It would be convenient if you could directly put copies of self-signed
certificates in some location in order to have them pass validation, but
as far as I know this is not supported by anything. As a result most
people use self-signed certificates and ignore (and often suppress) any
complaints about validation from programs (as here).

    - cks