[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 2.1.22 not accepting self-signed SSL cert

adamtheo@theoretic.com wrote:

TLSCertificateFile      /site/theoretic/ssl/key.pem
TLSCertificateKeyFile   /site/theoretic/ssl/key.pem
TLSCACertificateFile    /site/theoretic/ssl/key.pem
TLSVerifyClient never

Maybe someone else has answered already - I'm a modem-occasional subscriber - but this is wrong. You have to keep to the rules and have separate public, key and CA cert files.

The (extra jolly) good reason for this, to my feeble mind, is that the server private key file has to be kept *secret*, while the public key has to be published and the CA cert file has to be readable by all clients + the server. Your method would defeat this end. Even if what you were doing were possible (à la Exim, Courier IMAPD etc.) it would be a glaring security hole and render the whole point of security via certs pointless.


Tony Earnshaw

Do not CC me or your mail will probably be rejected.
I don't like this, either. Blame it on Swen and a slow
Internet connection.

Mail: billy-at-billy.demon.nl