[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto plugged off?



At Sat, 26 Jun 2010 23:05:34 -0700,
Erik Hetzner wrote:
> Here is the actual command my WL uses to connect via SSL; maybe there
> is a cert problem? (Though I think it should connect anyhow.)
> 
>   /usr/bin/openssl s_client -quiet -host <host> -port <port> -verify
>   3 -CApath /etc/ssl/certs
> 
> Check you ssl-program-name and ssl-program-arguments; do they make
> sense?

Thanks to all for their insights.  Here's what I found:

short version:
(setq ssl-certificate-verification-policy SOME_LARGER_NUMBER)

long version:
There's a disagreement between the comments in ssl.el and the s_client
manpage about the meaning of the -verify option.  The documented
behaviour of -verify N is to limit the depth of the certificate chain
to N entries and, at least on NetBSD, that seems to be the actual
behaviour.  So with the default -verify 0 the fastmail cert (which has
two extra links in its trust chain) gives a verification failure, but
-verify 2 (or more) works.  The server I was logging into successfully
was using a self-signed cert so that a depth of 0 was sufficient.

As Tatsuya Kinoshita pointed out, the verification doesn't amount to
much: the connections work fine (as long as the certificate chain is
shorter than -verify N!) even though I now realize that I have no root
CA certs installed on this machine and therefore can't possibly be
validating the certificate the server sends me.

Thanks for the help,

Ian Leroux