* Andreas Aardal Hanssen <[EMAIL PROTECTED]> [20Nov03 08:40]: > On Thu, 20 Nov 2003 [EMAIL PROTECTED] wrote: > >Hi, I am still getting a bunch of weird errors when trying to get imap > >ssl to work on FreeBSD 4.8 fro mthe ports tree. Plain imap works, but > >with ssl, I get this error: > >www# openssl s_client -connect myip:993 -crlf > >84982 0 [EMAIL PROTECTED]:] Client connected to Binc IMAP from myip > >84981:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > >protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/
Thanks for the tips in this thread - I got imaps working no problem. I wanted to verify my understanding: The significance of the key and cert is that they prove the identity of the server. If we didn't care about that, we wouldn't really need to generate and protect private keys and create certs - the server could just make something up on the fly, as the client already does. In this situation, the pipe between client and server would be encrypted, but neither client nor server would have any assurance, beyond the soft protection of DNS and routing, that the computer at the other end was the one they thought it was. This problem is slightly mitigated on the client end, because the client provides some authentication to get its mail. Question: does anybody actually check the server cert that we have to go to the trouble of generating? Am I missing something when I assert that, given the profiteering and fundamental security holes in commercial PKI, most server-side certs in most uses have no effect other than to complicate installation? If so, would it be possible to remove this step, which sometimes ends up *reducing* security by causing people to give up ssl? Joel
