On Sat, Feb 15, 2014 at 09:26:35PM +0100, Frank Brodbeck wrote:
> Hi,
>
> On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote:
> > I would try using a full path.
> >
> > pki example ca "/etc/ssl/myca.pem"
>
> I already tried it with full path. But I got it working now by
> specifying certificate and key, too:
>
> pki example certificate "/etc/ssl/relay.crt"
> pki example key "/etc/ssl/private/relay.key"
> pki example ca "/etc/ssl/ca.crt"
>
> and later on:
>
> accept from any for domain example.tld relay via tls://relay.example.tld pki
> example verify
>
> But I am still wondering if I am doing it right. Because normally it
> should be enough to have the signing certificate and it shouldn't be
> neccessary to provide the peer's cert and key or am I wrong here?
>
> Trying to test my thesis I created two empty files: foo.pem and foo.key
> and used them in my pki statement with some astonishing result:
>
> # smtpd -nf /etc/mail/smtpd.conf
> Segmentation fault (core dumped)
>
> While the test is more or less stupid I wasn't expecting a segfault ;-)
>
Are you sure you did a make clean ?
$ sudo touch /etc/mail/foo.pem
$ sudo touch /etc/mail/foo.key
$ sudo smtpd -dv
debug: init ssl-tree
info: loading pki information for foo
debug: SSL library error: ssl_load_key: error:0906D06C:PEM
routines:PEM_read_bio:no start line
fatal: load_pki_tree: failed to load key file
$ sudo smtpd -nf /etc/mail/smtpd.conf
fatal: load_pki_tree: failed to load key file
$
--
Gilles Chehade
https://www.poolp.org @poolpOrg
