On 23 Feb 2010, at 15:40, Davide Libenzi wrote: On Tue, 23 Feb 2010, Sabahattin Gucukoglu wrote: >> I'm afraid I overlooked something: certificate chains in server.cert. I add >> multiple PEM-encoded certificates together, but XMail only presents one of >> them, the top-most. How can I provide my certificate followed by an >> intermediate CA certificate, whose signer is known to OS trust roots? >> >> In case you're wondering, the cert is from startcom.org. > > A certificate itself, already contains a chain. So you set your cert as > server.cert, and add (if not already there) your roots into the "certs" > subdirectory: > > http://www.xmailserver.org/Readme.html#ssl_configuration
My certificate is signed by an intermedia CA which is signed by the root that everybody trusts. So I have to send to remotely connecting peers a valid chain containing my cert and then the intermediate and they can check that the signer of the intermediate is trustable. The SslUseCertsDir seems to just be used for client verification, that I do not need, I only want to present a server cert (I don't know any client that supports supplying a client cert, actually). The usual way to do it is to cat together all the pems in the chain, cert followed by signer followed by signer ... and that works for my web server and stunnel, both using OpenSSL. But it doesn't seem to work for XMail. Cheers, Sabahattin _______________________________________________ xmail mailing list [email protected] http://xmailserver.org/mailman/listinfo/xmail
