[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto plugged off?

To: wl-en@lists.airs.net
Subject: Re: Auto plugged off?
From: Ian D. Leroux <idleroux@fastmail.fm>
Date: Sun, 27 Jun 2010 08:47:27 -0400
Delivered-to: wl-en@lists.airs.net
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=smtpout; bh=hRCZClD7i3C4GgGPn33MG8m/41k=; b=u9Km0Vv8K921kSxG9mfQMKTrnFcd3TBNtxokxD2nqy3rctCpPjQf1aZQg2RFZXxmzZCy+cy805w4ZrH67d1IdZ4F7sJ5/uqEPoSA66SXNM+oOTG1oGYRyT4zlK+pjlqWFeIjF2hFnZda426N8y7NRPa9cE8/H7mXWfVYi7zqDkc=
In-reply-to: <4c26ea2f.0b698d0a.4185.ffff8698@mx.google.com>
List-help: <mailto:wl-en-ctl@lists.airs.net?body=help>
List-id: wl-en.lists.airs.net
List-owner: <mailto:wl-en-admin@lists.airs.net>
List-post: <mailto:wl-en@lists.airs.net>
List-software: fml [fml stable 20011102.2100]
List-unsubscribe: <mailto:wl-en-ctl@lists.airs.net?body=unsubscribe>
References: <1277567950.23826.1382019081@webmail.messagingengine.com> <4c263bed.201b8f0a.231a.51e5@mx.google.com> <1277587953.29151.1382045185@webmail.messagingengine.com> <4c26ea2f.0b698d0a.4185.ffff8698@mx.google.com>
Reply-to: wl-en@lists.airs.net
User-agent: Wanderlust/2.15.6 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (Gojō) APEL/10.7 Emacs/23.2 (x86_64--netbsd) MULE/6.0 (HANACHIRUSATO)

At Sat, 26 Jun 2010 23:05:34 -0700,
Erik Hetzner wrote:
> Here is the actual command my WL uses to connect via SSL; maybe there
> is a cert problem? (Though I think it should connect anyhow.)
> 
>   /usr/bin/openssl s_client -quiet -host <host> -port <port> -verify
>   3 -CApath /etc/ssl/certs
> 
> Check you ssl-program-name and ssl-program-arguments; do they make
> sense?

Thanks to all for their insights.  Here's what I found:

short version:
(setq ssl-certificate-verification-policy SOME_LARGER_NUMBER)

long version:
There's a disagreement between the comments in ssl.el and the s_client
manpage about the meaning of the -verify option.  The documented
behaviour of -verify N is to limit the depth of the certificate chain
to N entries and, at least on NetBSD, that seems to be the actual
behaviour.  So with the default -verify 0 the fastmail cert (which has
two extra links in its trust chain) gives a verification failure, but
-verify 2 (or more) works.  The server I was logging into successfully
was using a self-signed cert so that a depth of 0 was sufficient.

As Tatsuya Kinoshita pointed out, the verification doesn't amount to
much: the connections work fine (as long as the certificate chain is
shorter than -verify N!) even though I now realize that I have no root
CA certs installed on this machine and therefore can't possibly be
validating the certificate the server sends me.

Thanks for the help,

Ian Leroux

Follow-Ups:
- Re: Auto plugged off?
  - From: Randy Bush <randy@psg.com>

References:
- Auto plugged off?
  - From: "Ian D. Leroux" <idleroux@fastmail.fm>
- Re: Auto plugged off?
  - From: Erik Hetzner <ehetzner@gmail.com>
- Re: Auto plugged off?
  - From: "Ian D. Leroux" <idleroux@fastmail.fm>
- Re: Auto plugged off?
  - From: Erik Hetzner <ehetzner@gmail.com>

Prev by Date: Re: Auto plugged off?
Next by Date: Re: Auto plugged off?
Previous by thread: Re: Auto plugged off?
Next by thread: Re: Auto plugged off?
Index(es):
- Date
- Thread