[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Woody -> Sarge upgrade report

On Mon, May 16, 2005 at 11:21:12AM -0400, Roberto C. Sanchez wrote:
> Quoting Jonathan McDowell <noodles@earth.li>:
> >On Mon, May 16, 2005 at 09:27:23AM -0400, Roberto C. Sanchez wrote:
> >>Jonathan McDowell wrote:
> >>> Hmmmm. I run with my own CA signed cert and had no problems with a
> >>> Woody -> Sarge upgrade of sslwrap on Friday. Can you send me your
> >>> /etc/sslwrap/debian_conf and the output of
> >>> "grep sslwrap /etc/inetd.conf" (assuming you're running it from inetd)?
> >>Did you want to see what they looked like before or after the upgrade?
> >
> >Both, if possible. Whatever you've got easily would be a good start
> >though.
[both the same and as follows:] 
> # grep sslwrap inetd.conf
> ssmtp   stream  tcp nowait  root    /usr/sbin/tcpd  /usr/sbin/sslwrap  -cert
> /etc/ssl/server_key_and_cert.pem -addr -port 25
> imaps   stream  tcp nowait  root    /usr/sbin/tcpd  /usr/sbin/sslwrap  -cert
> /etc/ssl/server_key_and_cert.pem -addr -port 143
> /etc/sslwrap/debian_config:
> run_mode="inetd"
> used_addr=""
> with_certificate="true"
> certfile="/etc/ssl/server_key_and_cert.pem"
> overwrite_corrupted_certfile="false"
> check_cert="true"
> ports="imaps, ssmtp"

> I no longer have sslwrap installed since postfix-tls now properly grabs port
> 465 without dying and cyrus21 supports imaps (though last night I switched
> to courier, which also natively does imaps). 

Yes, these days sslwrap is thankfully not so necessary as applications
are now able to link against the crypto code themselves.

> The problem, if you refer to my original mail, is that something about
> the CA was confusing sslwrap, which I believe tried to generate its
> own cert.
Is your root cert installed into the openssl framework (ie plumbed into
/etc/ssl/certs)? I think if that's not the case then as you have
"check_cert" set to true it'll fail to be able to validate the cert. I'm
surprised you haven't seen errors about this before on boot however.


/-\                             | "Bother", said Pooh, "Who put sand
|@/  Debian GNU/Linux Developer |        in the Vaseline?!?".
\-                              |

Reply to: