Re: SSL/TLS question
On Wed, 2004-01-14 at 16:05, Joe Rhett wrote: Use the exact same files for the web server as for the Cyrus mail server. They're both using the same library. Well, in Apache I have the following, in addition to the usual 'SSLCertificateFile' and 'SSLCertificateKeyFile' directives: SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca-bundle-comodo.crt Are you saying that I can can just cat this file with my issued cert and it will work just fine? Hm... I guess I could just test this with a test installation and some /etc/hosts entries. And no, the CA file is to verify client certs. In this case you put the certificate and the intermediary certificate in the same file (*.cert) You don't need a tls_ca_file unless you are verifying client certs. (unlikely) Yeah, that's what I figured; thanks for the clarification. Wil -- Wil Cooley [EMAIL PROTECTED] Naked Ape Consultinghttp://nakedape.cc * * * * * * Linux Services for Small Businesses * * * * * * * Naked Ape Consulting http://nakedape.cc * * Naked Ape Business Server http://nakedape.cc/r/smb * * Easy, reliable solutions for small businesses * signature.asc Description: This is a digitally signed message part
Re: SSL/TLS question
On Wed, 2004-01-14 at 19:03, Craig Ringer wrote: He is - he's just using one signed by someone who was signed by a known authority. Nothing needs to be installed in the browser. OK - I must've misunderstood his initial email. Yes, on re-reading my post after your initial message I realized I was not clear (which I've found is an easy quality to have when discussing SSL and TLS). My cert is issued by Comodo Class 3 Security Services CA, which was issued by the Well-Known CA GTE CyberTrust Root. Wil -- Wil Cooley [EMAIL PROTECTED] Naked Ape Consultinghttp://nakedape.cc * * * * * * Linux Services for Small Businesses * * * * * * * Naked Ape Consulting http://nakedape.cc * * Naked Ape Business Server http://nakedape.cc/r/smb * * Easy, reliable solutions for small businesses * signature.asc Description: This is a digitally signed message part
Re: SSL/TLS question
I expect that'd do it; you'll still need to install the CA certificate in browsers, though. I have a similar setup, but with a CA cert generated in-house. No you don't. The server hands out both certificates during the connection process. It just works ;-) I then install the ca cert into clients who need access. To be specific, I generate a client SSL certificate for them that also contains an embedded version of our CA cert. That way they import the CA cert when they install the client cert; I then just get them to authorize the CA cert for identifying remote hosts. In your case it sounds like you aren't using a certificate signed by any known authority. He is - he's just using one signed by someone who was signed by a known authority. Nothing needs to be installed in the browser. -- Joe Rhett Chief Geek [EMAIL PROTECTED] Isite Services, Inc.
Re: SSL/TLS question
On Mon, Jan 12, 2004 at 07:25:33PM -0800, Wil Cooley wrote: [Sorry this is a repost from a month ago; I didn't get an answer then, but maybe my timing is better now.] For my web server, I use a certificate from Comodo which is very inexpensive by comparison with Thawte/Verisign certs, but it requires installation of an intermediary key for most browsers to be happy with it. It's not difficult with Apache and mod_ssl; I'm wondering if it will work with Cyrus, perhaps using the 'tls_ca_file'? The docs are a little sparse (and Comodo doesn't provide explicit instructions like it does for mod_ssl) and my understanding of SSL/TLS is a bit limited. Use the exact same files for the web server as for the Cyrus mail server. They're both using the same library. And no, the CA file is to verify client certs. In this case you put the certificate and the intermediary certificate in the same file (*.cert) You don't need a tls_ca_file unless you are verifying client certs. (unlikely) -- Joe Rhett Chief Geek [EMAIL PROTECTED] Isite Services, Inc.
Re: SSL/TLS question
Joe Rhett wrote: I expect that'd do it; you'll still need to install the CA certificate in browsers, though. I have a similar setup, but with a CA cert generated in-house. No you don't. The server hands out both certificates during the connection process. It just works ;-) That appears to depend on the client - it certainly doesn't work with Mozilla, and Eudora needs some manual steps that the users seem to have trouble with. OTOH, it _shouldn't_ work automatically; the cert is no more inherently trustworthy than any random one somebody has generated. In your case it sounds like you aren't using a certificate signed by any known authority. Indeed. He is - he's just using one signed by someone who was signed by a known authority. Nothing needs to be installed in the browser. OK - I must've misunderstood his initial email. Craig Ringer
Re: SSL/TLS question
Craig Ringer wrote: That appears to depend on the client - it certainly doesn't work with Mozilla, and Eudora needs some manual steps that the users seem to have trouble with. OTOH, it _shouldn't_ work automatically; the cert is no more inherently trustworthy than any random one somebody has generated. Note: I was referring only to situations where the CA cert is not already built into the browser. Otherwise, of course, everything will just work with no fuss as you say. Craig Ringer
SSL/TLS question
[Sorry this is a repost from a month ago; I didn't get an answer then, but maybe my timing is better now.] For my web server, I use a certificate from Comodo which is very inexpensive by comparison with Thawte/Verisign certs, but it requires installation of an intermediary key for most browsers to be happy with it. It's not difficult with Apache and mod_ssl; I'm wondering if it will work with Cyrus, perhaps using the 'tls_ca_file'? The docs are a little sparse (and Comodo doesn't provide explicit instructions like it does for mod_ssl) and my understanding of SSL/TLS is a bit limited. Wil -- Wil Cooley [EMAIL PROTECTED] Naked Ape Consultinghttp://nakedape.cc * * * * Linux, UNIX, Networking and Security Solutions * * * * * Naked Ape Consulting http://nakedape.cc * * Contract Sys Admin http://nakedape.cc/r/csa * signature.asc Description: This is a digitally signed message part
Re: SSL/TLS question
Wil Cooley wrote: [Sorry this is a repost from a month ago; I didn't get an answer then, but maybe my timing is better now.] For my web server, I use a certificate from Comodo which is very inexpensive by comparison with Thawte/Verisign certs, but it requires installation of an intermediary key for most browsers to be happy with it. It's not difficult with Apache and mod_ssl; I'm wondering if it will work with Cyrus, perhaps using the 'tls_ca_file'? The docs are a little sparse (and Comodo doesn't provide explicit instructions like it does for mod_ssl) and my understanding of SSL/TLS is a bit limited. I expect that'd do it; you'll still need to install the CA certificate in browsers, though. I have a similar setup, but with a CA cert generated in-house. My imapd.conf contains: tls_ca_file: /var/imap/ssl/ca.pem tls_cert_file: /var/imap/ssl/mail.postnewspapers.com.au_cert.pem tls_key_file: /var/imap/ssl/mail.postnewspapers.com.au_key.pem - the filenames are somewhat self explanatory (though your key and cert may be combined into one file). I then install the ca cert into clients who need access. To be specific, I generate a client SSL certificate for them that also contains an embedded version of our CA cert. That way they import the CA cert when they install the client cert; I then just get them to authorize the CA cert for identifying remote hosts. Craig Ringer
SSL/TLS question
For my web server, I use a certificate from Comodo which is very inexpensive by comparison with Thawte/Verisign certs, but it requires installation of an intermediary key for most browsers to be happy with it. It's not difficult with Apache and mod_ssl; I'm wondering if it will work with Cyrus, perhaps using the 'tls_ca_file'? The docs are a little sparse (and Comodo doesn't provide explicit instructions like it does for mod_ssl) and my understanding of SSL/TLS is a bit limited. Wil -- Wil Cooley [EMAIL PROTECTED] Naked Ape Consultinghttp://nakedape.cc * * * * * * Linux Services for Small Businesses * * * * * * * Easy, reliable solutions for small businesses * *Naked Ape Business Server http://nakedape.cc/r/sms * signature.asc Description: This is a digitally signed message part
