[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Auto plugged off?
At Sat, 26 Jun 2010 23:05:34 -0700,
Erik Hetzner wrote:
> Here is the actual command my WL uses to connect via SSL; maybe there
> is a cert problem? (Though I think it should connect anyhow.)
>
> /usr/bin/openssl s_client -quiet -host <host> -port <port> -verify
> 3 -CApath /etc/ssl/certs
>
> Check you ssl-program-name and ssl-program-arguments; do they make
> sense?
Thanks to all for their insights. Here's what I found:
short version:
(setq ssl-certificate-verification-policy SOME_LARGER_NUMBER)
long version:
There's a disagreement between the comments in ssl.el and the s_client
manpage about the meaning of the -verify option. The documented
behaviour of -verify N is to limit the depth of the certificate chain
to N entries and, at least on NetBSD, that seems to be the actual
behaviour. So with the default -verify 0 the fastmail cert (which has
two extra links in its trust chain) gives a verification failure, but
-verify 2 (or more) works. The server I was logging into successfully
was using a self-signed cert so that a depth of 0 was sufficient.
As Tatsuya Kinoshita pointed out, the verification doesn't amount to
much: the connections work fine (as long as the certificate chain is
shorter than -verify N!) even though I now realize that I have no root
CA certs installed on this machine and therefore can't possibly be
validating the certificate the server sends me.
Thanks for the help,
Ian Leroux