This year, my site has begun having problems with our Verisign SSL
certificates. It began with the cert we acquired from Verisign in March,
which was signed by a new, never-before-seen CA certificate. (Verisign
has published the "intermediate CA certificate" on their web site; this
is note at issue.) Our IMAP clients rejected our server cert because
they didn't acknowledge authority of the the new signing cert -- our
site certificate had no connection to their certificate cache.
With IMAP (WU imapd), we solved this by including the intermediate CA
cert with the server cert in the PEM file that IMAP loads our server
cert from. The clients now receive two certs with each connection: the
server cert, and its signer, which is in turn signed by a cert in their
certificate cache, and thus trustworthy.
(We have a large user population, and we don't control all client
workstations, so we can't just update all client CA caches.)
This tactic doesn't seem to work with Qpopper, even though we're using
OpenSSL with both wu-imapd and qpopper. With the Verisign intermediate
CA cert first in the tls-server-cert-file, the tls-private-key-file
cannot decrypt our certificate -- understandably. And with the Verisign
cert after our server cert, it seems to go undetected, and not delivered
to the client. Does anyone have any suggestions on how to achieve the
same effect with qpopper? Will I need to patch?
--
-D. [EMAIL PROTECTED] NSIT University of Chicago
When using any driving directions or map, it's a good idea to do a
reality check and make sure the road still exists, watch out for
construction, and follow all traffic safety precautions.
