Sorry about the repeated mails on that - Gmail hiccuped bad. Anyway, I'm posting to report that I found my own solution to the problem - I hacked the Qpopper source to use the OpenSSL function SSL_CTX_use_certificate_chain_file() instead of SSL_CTX_use_certificate_file(). I was then able to concatenate the intermediate certificate from Thawte to my tls-server-cert-file Now all the clients I have access to can download mail without complaining about missing root certs. diff:
*** pop_tls_openssl.c 364,365c364,366 < nErr = SSL_CTX_use_certificate_chain_file ( pTLS->m_OpenSSLctx, < pPOP->tls_server_cert_file) ; --- > nErr = SSL_CTX_use_certificate_file ( pTLS->m_OpenSSLctx, > pPOP->tls_server_cert_file, > SSL_FILETYPE_PEM ); This is incomplete in that I didn't bother trying to determine if something similar is needed for SSLPlus builds, and haven't checked to see if this change will work with certs that don't require an intermediate certificate. It's a "works for me" kinda deal - I hope it helps someone else in the future. On Mon, 2 Aug 2004 09:56:08 -0800, Pete 'Wolfy' Hanson <[EMAIL PROTECTED] l.com> wrote: > I have Qpopper 4.05 set with TLS/SSL on a Solaris 2.6 system and > certificates obtained from Thawte (the SSL123 type of cert if it > matters). It works in conjunction with Eudora 6.1 from my Macintosh, > but so far I've been unable to make it work with any other mail > client, Mac or Windows based - all of them complain in various ways > about the root certificate. For instance, Mail.app returns > > Unable to verify SSL server xxx.myhost.com > > Mail was unable to verify the identity of this server, which has a > certificate issued to "xxx.myhost.com". The error was: > > There is no root certificate for this server. > > followed by a dire warning that I might be connecting to a system that > is pretending to be "xxx.myhost.com". If I tell Mail to ignore this > and continue, it'll download any available mail and not complain for > the rest of the session. Once I quit Mail and restart it, though, it > complains all over again. Other mail clients follow similar patterns, > or flat out refuse to download anything. > > My config stuff contains: > > set tls-support = alternate-port > set tls-server-cert-file = /etc/mail/certs/cert.pem > > and the cert.pem file contains both the server cert and the signed cert. > > Any help will be greatly appreciated. > > -- > Pete Hanson > System Administrator > -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy
