Hi Andy, Right now I'm trying to solve the problem of why I get see the "unable to get local issuer certificate" messages when running the openssl s_client command. I'm not that familiar with ssl (or imap) and I don't know if this is normal or not, or if ssl is working properly. Comodo sent an intermediate CA certificate along with the signed ssl certificate, that I don't know what to do with.
Thanks, Nicole >>> Andrew Morgan <[EMAIL PROTECTED]> 09/26/05 5:11 PM >>> On Mon, 26 Sep 2005, Nicole Skyrca wrote: > > Hi Cristian, > >> usually if the server has SSL/TLS capability it advertises that in >> the response to the 'capability' IMAP command: > We have telnet disabled so I can't try this. > >> > > try to remove the password from the certificate key file, >> just as easy as : > >openssl rsa -in imap-server.key -out imap-server.noPass.key > >If it asks for a password, then just press enter. > > I tried this, and pointed my configuration file to use the new key file > without the password. This got me a little further. I am still seeing > some errors like "unable to verify first certificate". > > The certificate that we purchased has an intermediate certificate. > Have you ever dealt with an intermediate certificate before? I tried to > replace the tls_ca_file value with a file containing that intermediate > certificate that I recived with the signed certificate, and I didn't see > the error anymore. I don't know if that is going to cause any problems > though. > > This is the error I get when I try tls_ca_file points to the ca_bundle > file that comes with openssl. > > [EMAIL PROTECTED] certs]# openssl s_client -connect imap1:993 > CONNECTED(00000003) > depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery > Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery > Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery > Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1 > verify error:num=21:unable to verify the first certificate > verify return:1 > > This is what I get when I replace tls_ca_file with the intermediate > certficiate: > [EMAIL PROTECTED] certs]# openssl s_client -connect imap:993 > CONNECTED(00000003) > depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, > Inc./CN=GTE CyberTrust Global Root > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > > Thank you so much for your suggestions. What is the actual problem you are trying to solve? I have an SSL certificate signed by Thawte that I am using with Cyrus IMAP. It gives me the same messages as you when I use "openssl s_client" against it, but everything is working fine for me. Sorry if I missed earlier parts of this thread. Andy ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html