[tpop3d-discuss]SSL CA Certificates

Erik Grinaker erikg at codepoet.no
Fri, 16 Jul 2004 15:39:24 +0200


On Thu, 2004-07-08 at 10:05 +1000, David Mitchell wrote:
> I had the same problem with a Comodo cert and managed to fix it by changing
> one line in tls.c:
> 
> # diff tls.c.orig tls.c
> 86c86
> <     if ((ret = SSL_CTX_use_certificate_file(ctx, certfile,
> SSL_FILETYPE_PEM)) <= 0) {
> ---
> >     if ((ret = SSL_CTX_use_certificate_chain_file(ctx, certfile)) <= 0) {

Perfect, the patch works great - thanks alot! Any chance of this being
included in tpop3d 1.5.4?


> The listen-address line in my config is like so:
> 
> listen-address:
> 0.0.0.0(f.q.d.n);tls=immediate,/usr/local/ssl/certs/both.crt,/usr/local/ssl/
> certs/server.key
> 
> where "f.q.d.n" is the FQDN in your cert, "both.crt" is a certificate file
> with your cert and Comodo's cert (in that order) and "server.key" is your
> server's private key. Set other options as needed for your setup, obviously
> :)

Actually, you can also put the key in the certificate chain. In my
setup, the chain file looks like:

-----BEGIN CERTIFICATE-----
[server.crt contents]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[server.crt private key]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[comodo.crt contents]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[gte.crt contents]
-----END CERTIFICATE-----


-- 
Erik Grinaker <erikg@codepoet.no>

"We act as though comfort and luxury were the chief requirements of
life, when all that we need to make us happy is something to be
enthusiastic about."
                                                  -- Albert Einstein