At Mon, 11 Apr 2011 10:55:32 -0400,
Vitaly Mayatskikh wrote:
>
> At Mon, 11 Apr 2011 14:44:49 +0100, Richard Lewis wrote:
>
> > It all seems to be working now.
> >
> > It would interesting to know what's happened. Might I have
> > accidentally changed the value of ssl-certificate-verification-policy
> > to 0? Or might several of the IMAP servers I use recently changed
> > their policy on verification?
>
> May be they renewed certificates.
No. The -verify option sets the verification policy of the openssl
client -- AFAIK it is the number of steps in the certificate chain
which the client should take to verifiy the server certificate.
E.g. -verify 0 means: Don't follow the chain at all and if the server
certificate is not present on the client, the verification fails.
There was a change in handling verification failures from openssl
0.9.8n to 1.0.0:
*) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
new CRLs added to a directory can be used. New command line option
-verify_return_error to s_client and s_server. This causes real errors
to be returned by the verify callback instead of carrying on no matter
what. This reflects the way a "real world" verify callback would behave.
[Steve Henson]
This new option is not reflected in the man-page or in the help
message, seems to be turned on by default and looks like its not
possible to turn it off.
Debian Testing recently updated from openssl 0.9.8 to 1.0.0 -- Maybe
this caused the trouble. Before 1.0.0 the ssl client did continue the
connection if the verification failed (see debian bug #210757).
Best,
-- David
--
OpenPGP... 0x99ADB83B5A4478E6
Jabber.... dmjena@jabber.org
Email..... dmaus@ictsoc.de
Attachment:
pgpEEHFOVFOgn.pgp
Description: PGP signature