Dovecot proxy ignores trusted root certificate store
Andrew McN
andrew at mcnaughty.com
Mon Sep 21 11:45:29 UTC 2015
On 21/09/15 17:28, Alex Bulan wrote:
> The result is the same with or without "<" before the file path. With
> "<" the inode atime is updated at Dovecot startup, so the file is at
> least opened, but Dovecot still can't verify the cert.
>
> The only place in the Wiki that shows an example of ssl_client_ca_file
> is on this page, and there's no "<" in front of the file path:
>
> http://wiki2.dovecot.org/Replication
>
> (quote)
> The client must be able to verify that the SSL certificate is valid, so
> you need to specify the directory containing valid SSL CA roots:
>
> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
> (end quote)
>
Suggesting that on Redhat you should specify "the directory containing
valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy.
Sounds like setting a file instead. So that bit of documentation should
be treated as rather suspect.
Regards,
Andrew
More information about the dovecot
mailing list