Re: Debian Woody -> Sarge upgrade report

To: "Roberto C. Sanchez" <roberto@familiasanchez.net>
Cc: Debian Devel <debian-devel@lists.debian.org>
Subject: Re: Debian Woody -> Sarge upgrade report
From: Jonathan McDowell <noodles@earth.li>
Date: Tue, 17 May 2005 16:23:35 +0100
Message-id: <[🔎] 20050517152335.GQ18065@earth.li>
Mail-followup-to: "Roberto C. Sanchez" <roberto@familiasanchez.net>, Debian Devel <debian-devel@lists.debian.org>
In-reply-to: <20050516112112.98r8rc6wnemo8ksk@familiasanchez.net:443>
References: <[🔎] 427BD1B9.8050206@familiasanchez.net> <[🔎] 20050516101854.GT18065@earth.li> <[🔎] 42889FBB.4030904@familiasanchez.net> <[🔎] 20050516135540.GE18065@earth.li> <20050516112112.98r8rc6wnemo8ksk@familiasanchez.net:443>

On Mon, May 16, 2005 at 11:21:12AM -0400, Roberto C. Sanchez wrote:
> Quoting Jonathan McDowell <noodles@earth.li>:
> >On Mon, May 16, 2005 at 09:27:23AM -0400, Roberto C. Sanchez wrote:
> >>Jonathan McDowell wrote:
> >>> Hmmmm. I run with my own CA signed cert and had no problems with a
> >>> Woody -> Sarge upgrade of sslwrap on Friday. Can you send me your
> >>> /etc/sslwrap/debian_conf and the output of
> >>> "grep sslwrap /etc/inetd.conf" (assuming you're running it from inetd)?
> >>Did you want to see what they looked like before or after the upgrade?
> >
> >Both, if possible. Whatever you've got easily would be a good start
> >though.
[both the same and as follows:] 
> # grep sslwrap inetd.conf
> ssmtp   stream  tcp nowait  root    /usr/sbin/tcpd  /usr/sbin/sslwrap  -cert
> /etc/ssl/server_key_and_cert.pem -addr 127.0.0.1 -port 25
> imaps   stream  tcp nowait  root    /usr/sbin/tcpd  /usr/sbin/sslwrap  -cert
> /etc/ssl/server_key_and_cert.pem -addr 127.0.0.1 -port 143
> 
> /etc/sslwrap/debian_config:
> run_mode="inetd"
> used_addr="127.0.0.1"
> with_certificate="true"
> certfile="/etc/ssl/server_key_and_cert.pem"
> overwrite_corrupted_certfile="false"
> check_cert="true"
> ports="imaps, ssmtp"

> I no longer have sslwrap installed since postfix-tls now properly grabs port
> 465 without dying and cyrus21 supports imaps (though last night I switched
> to courier, which also natively does imaps). 

Yes, these days sslwrap is thankfully not so necessary as applications
are now able to link against the crypto code themselves.

> The problem, if you refer to my original mail, is that something about
> the CA was confusing sslwrap, which I believe tried to generate its
> own cert.
 
Is your root cert installed into the openssl framework (ie plumbed into
/etc/ssl/certs)? I think if that's not the case then as you have
"check_cert" set to true it'll fail to be able to validate the cert. I'm
surprised you haven't seen errors about this before on boot however.

J.

-- 
/-\                             | "Bother", said Pooh, "Who put sand
|@/  Debian GNU/Linux Developer |        in the Vaseline?!?".
\-                              |

Reply to:

Follow-Ups:
- Re: Debian Woody -> Sarge upgrade report
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>

References:
- Debian Woody -> Sarge upgrade report
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>
- Re: Debian Woody -> Sarge upgrade report
  - From: Jonathan McDowell <noodles@earth.li>
- Re: Debian Woody -> Sarge upgrade report
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>
- Re: Debian Woody -> Sarge upgrade report
  - From: Jonathan McDowell <noodles@earth.li>
- Re: Debian Woody -> Sarge upgrade report
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>

Prev by Date: Re: [Release Notes] Use Woody's or Sarge's aptitude for upgrades?
Next by Date: Re: Debian Woody -> Sarge upgrade report
Previous by thread: Re: Debian Woody -> Sarge upgrade report
Next by thread: Re: Debian Woody -> Sarge upgrade report
Index(es):
- Date
- Thread