At Mon, 11 Apr 2011 10:55:32 -0400, Vitaly Mayatskikh wrote: > > At Mon, 11 Apr 2011 14:44:49 +0100, Richard Lewis wrote: > > > It all seems to be working now. > > > > It would interesting to know what's happened. Might I have > > accidentally changed the value of ssl-certificate-verification-policy > > to 0? Or might several of the IMAP servers I use recently changed > > their policy on verification? > > May be they renewed certificates. No. The -verify option sets the verification policy of the openssl client -- AFAIK it is the number of steps in the certificate chain which the client should take to verifiy the server certificate. E.g. -verify 0 means: Don't follow the chain at all and if the server certificate is not present on the client, the verification fails. There was a change in handling verification failures from openssl 0.9.8n to 1.0.0: *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so new CRLs added to a directory can be used. New command line option -verify_return_error to s_client and s_server. This causes real errors to be returned by the verify callback instead of carrying on no matter what. This reflects the way a "real world" verify callback would behave. [Steve Henson] This new option is not reflected in the man-page or in the help message, seems to be turned on by default and looks like its not possible to turn it off. Debian Testing recently updated from openssl 0.9.8 to 1.0.0 -- Maybe this caused the trouble. Before 1.0.0 the ssl client did continue the connection if the verification failed (see debian bug #210757). Best, -- David -- OpenPGP... 0x99ADB83B5A4478E6 Jabber.... dmjena@jabber.org Email..... dmaus@ictsoc.de
Attachment:
pgpEEHFOVFOgn.pgp
Description: PGP signature