On Tue, 23 Feb 2010, Sabahattin Gucukoglu wrote: > On 23 Feb 2010, at 17:06, Sabahattin Gucukoglu wrote: > On 23 Feb 2010, at 15:40, Davide Libenzi wrote: > > On Tue, 23 Feb 2010, Sabahattin Gucukoglu wrote: > >>> I'm afraid I overlooked something: certificate chains in server.cert. I > >>> add multiple PEM-encoded certificates together, but XMail only presents > >>> one of them, the top-most. How can I provide my certificate followed by > >>> an intermediate CA certificate, whose signer is known to OS trust roots? > >>> > >>> In case you're wondering, the cert is from startcom.org. > >> > >> A certificate itself, already contains a chain. So you set your cert as > >> server.cert, and add (if not already there) your roots into the "certs" > >> subdirectory: > >> > >> http://www.xmailserver.org/Readme.html#ssl_configuration > > > > My certificate is signed by an intermedia CA which is signed by the root > > that everybody trusts. So I have to send to remotely connecting peers a > > valid chain containing my cert and then the intermediate and they can check > > that the signer of the intermediate is trustable. The SslUseCertsDir seems > > to just be used for client verification, that I do not need, I only want to > > present a server cert (I don't know any client that supports supplying a > > client cert, actually). The usual way to do it is to cat together all the > > pems in the chain, cert followed by signer followed by signer ... and that > > works for my web server and stunnel, both using OpenSSL. But it doesn't > > seem to work for XMail. > > I found it: XMail is using SSL_CTX_use_certificate_file, when it wants > to use SSL_CTX_use_certificate_chain_file. That will give you the > behaviour you should have and what I needed. Please consider that for > the next version. For now I'll just disable STARTTLS in SMTP so remote > peers don't try using it and get a broken, unverifiable cert.
Will do, thanks. - Davide _______________________________________________ xmail mailing list [email protected] http://xmailserver.org/mailman/listinfo/xmail
