[patch] Expand tls plugin docs concerning certificate chains

Fri, 06 Jun 2014 00:28:22 -0700 

Perhaps counterintuitively, IO::Socket:SSL expects that multi-step SSL
cert chains must have the intermediate certs in the SSL_cert_file
path and not the SSL_ca_file path.  Add documentation on this point,
and a way of verifying cert configuration since most MTAs won't be
at all helpful in diagnosing SSL verification errors.

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 4096R/9197B5F9: 9C64 37CD 1B7B 029D 0933  49EA 1E52 7672 9197 B5F9

commit f49a266b76ee8c539a3bbed68c3d65f8cdba6593
Author: Devin Carraway <g...@devin.com>
Date:   Thu Jun 5 23:53:51 2014 -0700

    Expand the tls plugin's documentation regarding certificate chains and testing.

diff --git a/plugins/tls b/plugins/tls
index b690eb6..6e1a20c 100644
--- a/plugins/tls
+++ b/plugins/tls
@@ -14,7 +14,13 @@ tls [B<cert_path priv_key_path ca_path>]
 
 =item B<cert_path>
 
-Path to the server certificate file. Default: I<ssl/qpsmtpd-server.crt>
+Path to the server certificate file.  This file should include
+both the server's own certificate and those of any intermediate
+(non-root) certificate authorities in the cert chain.  If a chain
+of multiple certificates is given here, the file must be in PEM
+format; if only one cert is given, DER format is also acceptable.
+
+Default: I<ssl/qpsmtpd-server.crt>
 
 =item B<priv_key_path>
 
@@ -22,7 +28,7 @@ Path to the private key file. Default: I<ssl/qpsmtpd-server.key>
 
 =item B<ca_path>
 
-Path to the certificate authority file. Default: I<ssl/qpsmtpd-ca.crt>
+Path to the root certificate authority file. Default: I<ssl/qpsmtpd-ca.crt>
 
 =back
 
@@ -57,6 +63,13 @@ ciphers at L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>,
 and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or
 "HIGH:MEDIUM")
 
+=head1 TESTING
+
+To verify correct configuration and certificate structure, after enabling
+the plugin one can use this command to test negotiation and authentication:
+
+  openssl s_client -CApath /etc/ssl/certs -starttls smtp -connect mailhost:25
+
 =cut
 
 use IO::Socket::SSL 0.98; # qw(debug1 debug2 debug3 debug4);

Reply via email to