"M. Fioretti" <[EMAIL PROTECTED]> wrote:
On Wed, Jun 14, 2006 12:11:55 PM +0200, io ([EMAIL PROTECTED])
wrote:
> Hello,
>
> I am configuring a remote x86 Centos 4.3 box (running in UML) as
> personal web and email server. Openssl version is openssl-0.9.7a-43.8.
> I want it to be able to serve https pages and to securely
> forward/email to and from my home computer.
>
UPDATE: following off list suggestions from Darryl, I tried to connect
to dovecot remotely via openssl:
/usr/bin/openssl s_client -connect my.remote.server:993
and got what I pasted below, which I looks like "certificate is
screwed/ useless/incompatible??? but login succeeds anyway". That's
why I think dovecot has nothing to do with it. Any feedback still
greatly appreciated. How can I generate this certificate correctly?
What does that error mean? Which setting in openssl.cnf should be
modified?
TIA,
Marco
[EMAIL PROTECTED]:~> /usr/bin/openssl s_client -connect my.remote.server:993
CONNECTED(00000003)
depth=0 /C=IT/ST=Italy/L=Planet Earth/O=my company/OU=Management/CN=my.remote.server/[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=IT/ST=Italy/L=Planet Earth/O=my company/OU=Management/CN=my.remote.server/[EMAIL PROTECTED]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=IT/ST=Italy/L=Planet Earth/O=my company/OU=Management/CN=my.remote.server/[EMAIL PROTECTED]
i:/C=IT/ST=Italy/L=Planet Earth/O=my company/OU=Management/CN=my.remote.server/[EMAIL PROTECTED]
This is, for convenience, other info from my first message:
> Therefore, I have generated a certificate following, on the server,
> the procedure at
> http://wanderingbarque.com/howtos/mailserver/mailserver.html, but it
> is unusable. When I try to download email with fetchmail I get errors
> and, if I run on the server "openssl -verify -issuer_checks...." I
> get:
>
> error 30 at 0 depth lookup:authority and subject key identifier mismatch
>
> which, as far as I understand, seems to be caused by screwed settings of
> subjectKeyIdentifier and authorityKeyIdentifier in openssl.conf. But I
> have not changed them from the default:
>
> ######################################################################
> ~/geecheck/usr/share/ssl> grep -i keyidentifier openssl.cnf
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer:always
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always,issuer:always
> # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
> authorityKeyIdentifier=keyid:always,issuer:always
> ########################################################################
>
> What is happening? Should I change those settings? If yes, to which
> values?
>
> Another weird thing, don't know if related to this or not. When I
> generate the fingerprint on the server and on my home PC (Suse 10.1
> x86_64) I get different results. What does it mean?
--
Marco Fioretti mfioretti, at the server mclink.it
Fedora Core 3 for low memory http://www.rule-project.org/
I doni ricevuti dal Padreterno, servono se utilizzati: chi li
contempla gode, ma chi ne fa uso probabilmente aiuta altri a godere.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
