Re: Debian Woody -> Sarge upgrade report
On Mon, May 16, 2005 at 11:21:12AM -0400, Roberto C. Sanchez wrote:
> Quoting Jonathan McDowell <firstname.lastname@example.org>:
> >On Mon, May 16, 2005 at 09:27:23AM -0400, Roberto C. Sanchez wrote:
> >>Jonathan McDowell wrote:
> >>> Hmmmm. I run with my own CA signed cert and had no problems with a
> >>> Woody -> Sarge upgrade of sslwrap on Friday. Can you send me your
> >>> /etc/sslwrap/debian_conf and the output of
> >>> "grep sslwrap /etc/inetd.conf" (assuming you're running it from inetd)?
> >>Did you want to see what they looked like before or after the upgrade?
> >Both, if possible. Whatever you've got easily would be a good start
[both the same and as follows:]
> # grep sslwrap inetd.conf
> ssmtp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sslwrap -cert
> /etc/ssl/server_key_and_cert.pem -addr 127.0.0.1 -port 25
> imaps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sslwrap -cert
> /etc/ssl/server_key_and_cert.pem -addr 127.0.0.1 -port 143
> ports="imaps, ssmtp"
> I no longer have sslwrap installed since postfix-tls now properly grabs port
> 465 without dying and cyrus21 supports imaps (though last night I switched
> to courier, which also natively does imaps).
Yes, these days sslwrap is thankfully not so necessary as applications
are now able to link against the crypto code themselves.
> The problem, if you refer to my original mail, is that something about
> the CA was confusing sslwrap, which I believe tried to generate its
> own cert.
Is your root cert installed into the openssl framework (ie plumbed into
/etc/ssl/certs)? I think if that's not the case then as you have
"check_cert" set to true it'll fail to be able to validate the cert. I'm
surprised you haven't seen errors about this before on boot however.
/-\ | "Bother", said Pooh, "Who put sand
|@/ Debian GNU/Linux Developer | in the Vaseline?!?".