On 23 Feb 2010, at 17:06, Sabahattin Gucukoglu wrote: On 23 Feb 2010, at 15:40, Davide Libenzi wrote: > On Tue, 23 Feb 2010, Sabahattin Gucukoglu wrote: >>> I'm afraid I overlooked something: certificate chains in server.cert. I >>> add multiple PEM-encoded certificates together, but XMail only presents one >>> of them, the top-most. How can I provide my certificate followed by an >>> intermediate CA certificate, whose signer is known to OS trust roots? >>> >>> In case you're wondering, the cert is from startcom.org. >> >> A certificate itself, already contains a chain. So you set your cert as >> server.cert, and add (if not already there) your roots into the "certs" >> subdirectory: >> >> http://www.xmailserver.org/Readme.html#ssl_configuration > > My certificate is signed by an intermedia CA which is signed by the root that > everybody trusts. So I have to send to remotely connecting peers a valid > chain containing my cert and then the intermediate and they can check that > the signer of the intermediate is trustable. The SslUseCertsDir seems to > just be used for client verification, that I do not need, I only want to > present a server cert (I don't know any client that supports supplying a > client cert, actually). The usual way to do it is to cat together all the > pems in the chain, cert followed by signer followed by signer ... and that > works for my web server and stunnel, both using OpenSSL. But it doesn't seem > to work for XMail.
I found it: XMail is using SSL_CTX_use_certificate_file, when it wants to use SSL_CTX_use_certificate_chain_file. That will give you the behaviour you should have and what I needed. Please consider that for the next version. For now I'll just disable STARTTLS in SMTP so remote peers don't try using it and get a broken, unverifiable cert. Cheers, Sabahattin _______________________________________________ xmail mailing list [email protected] http://xmailserver.org/mailman/listinfo/xmail
