On Tue, 28 Jan 2003, Paul Christie wrote: > imap 2.0.17, openssl 0.9.6d > Clients (Pine, Mulberry) connecting using STARTTLS generate messages like > the one below. So it looks as though the server is looking for local > certificates. SSL connections cause no such error message. > All seems to work but I would like to know why this happens. Since there > seems to very little correspondence on this I suspect I have configured > something incorrectly. Anyone else seen this? > imapd[17369]: [ID 432150 local6.error] TLS engine: No CA file specified. > Client side certs may not work
I get this one constantly; it's Mostly Harmless. If the client machine was to provide a cert that would normally facilitate authentication (ie, instead of using a password you were using client-side certs, signed by your own CA or by a higher authority), then Cyrus would need to have a copy of the signer's cert (the CA file) in order to verify the signature. Since you're probably using STARTTLS (and/or SSL) simply for encryption, you don't really care if the client sends a cert, and you wouldn't authenticate against it anyway, so the fact that Cyrus can't verify a client's cert is no big deal. Interestingly, I had tried to set this up properly with 2.1.11, using the ca-bundle that comes with RedHat 8.0's openssl RPM, and the TLS engine would fail every time I used STARTTLS on a connection (but SSL worked just fine). Confused the hell outta me until I removed the offending line from the config file, and just let it keep complaining about not having a CA file. -- Steve Huston - Unix Systems Administrator, Dept. of Astrophysical Sciences Princeton University | ICBM Address: 40.346525 -74.651285 126 Peyton Hall |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1'