Re: Pine and CA certificates

On Fri, 23 Mar 2007, Steve Thompson wrote:
If OpenSSL has the "wrong" path, why not rebuild OpenSSL to have the "right" path?
Ah, because we need to use the OpenSSL that comes with the O/S. I don't have the option to change that. Too many systems. Pine is installed in a shared file system; it would have been nice for the CA certificate that signed the IMAP server's certificate to have been there too.

So, instead of reconfiguring OpenSSL once and being done with it, you instead want to reconfigure every application program that uses OpenSSL?

That seems to be a lot of work to avoid a small amount of work.

Or, why not just take the easy route, and use OpenSSL's standard path for the CA certificates?

So, what does the SSLCERTS variable at pine build time do?

SSLCERTS are the IMAP server certificates, and SSLKEYS are the IMAP server private keys. Both of these are different from the CA certificates, although it is alright to have SSLCERTS point to the CA certificate directory.

You don't want the SSLKEYS directory to be the same as the CA certificate directory, since only a file protection stands between that key and a hacker who could do bad things with it.

But since pine is not calling SSL_CTX_load_verify_locations(), that's perhaps not surprising. I could of course answer this myself by reading the sources.

The c-client library used in Alpine has this functionality (the old version in Pine does not), although I suspect that Alpine doesn't take advantage of it yet.

What's also suprising is that I've been installing and using pine for over 10 years, and this is the first time I've encountered this issue!

Most people just use the OpenSSL standard CA certificate directory, or they rebuild OpenSSL so that its standard CA certificate directory is what they want it to be.

If OpenSSL is a shared library on your system, just rebuilding it automatically changes it for all applications.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
.

Relevant Pages

  • E2k7 Zertifikate (CSR mit openSSL signieren)
    ... Auf diesem habe ich eine RootCA und eine ServerCA etabliert. ... Mit New-ExchangeCertificate erzeuge ich jetzt ein Zertifikatsrequest (CSR) und stelle diesen der openSSL Server CA zum signieren bereit. ... certificate = $dir/ServerCA.cert.pem ...
    (microsoft.public.de.exchange)
  • Re: guidance on SSL certs and Apache2
    ... including the fact that the setup is neither automated nor documented ... > it has Kleopatra for certificate management. ... openssl req -new -key server.key -out newreq.pem ... /etc/init.d/apache2 restart ...
    (Debian-User)
  • Re: Help with issuing self signed certificates
    ... I generate a RSA key using openSSL. ... How do I make the clients trust my CA? ... OpenSSL comes with a simplistic script CA.sh (there's also a perl ... You also need a CA certificate, and a few files here and there for the ...
    (comp.security.misc)
  • 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... OpenSSL-based UNIX SSL client and server and a Windows Server 2003 ... Standard Edition with Certificate Services for the CA. ... The OpenSSL generated ones look like, ... X509v3 Extended Key Usage: ...
    (microsoft.public.windows.server.security)