On Tue, 10 Jun 2003, Abraham Backus wrote: > After reading the code more, I discovered that most (if not all) of this is > already available and that I should probably learn more about manipulating > the NET_NOVALIDATECERT flag and how to make c-client/imapd do what I want it > to (only allow connections that use certificates issued by a private CA).
NET_NOVALIDATECERT is an internal flag used by the low-level net_open() call, reflecting the /novalidate-cert switch in the specification used in the name in the higher-level call. It doesn't stipulate "only validate certificates issued by a private CA". But, if this is a system you manage, why not just install only your private CA certs on /usr/local/ssl/certs and not the regular certs? > My query was largely based on some documentation available that doesn't > mention verification/validation. I think the issue of validation was mentioned in the release notes. > This is probably overkill for my scenario I think that you hit the nail on the head. IMHO, you'd be better off using physical isolation, e.g. having clients and servers on a private network (possibly with a NAT box to the outside world). One of the dangers of being overly paranoid is if the day comes that you may have to crack your own network to get in... > I think that SSLv23 also enables TLSv1, then setting the SSL_OP_NO_SSLv2 > flag disables SSLv2. I am pretty sure that SSLv23 does not allow TLSv1. Or at least it doesn't in one of the combinations. In any case, TLSv1 is only to be used with the STARTTLS command. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.
