Dovecot proxy ignores trusted root certificate store
Alex Bulan
avb at korax.net
Mon Sep 21 17:45:45 UTC 2015
On Mon, 21 Sep 2015, Andrew McN wrote:
>> http://wiki2.dovecot.org/Replication
>>
>> (quote)
>> The client must be able to verify that the SSL certificate is valid, so
>> you need to specify the directory containing valid SSL CA roots:
>>
>> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
>> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
>> (end quote)
>>
>
> Suggesting that on Redhat you should specify "the directory containing
> valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy.
> Sounds like setting a file instead. So that bit of documentation should
> be treated as rather suspect.
>
> Regards,
> Andrew
In some environments, root certs are stored in a hashed directory, in
other environments they're stored in one file. One would typically use
one setting or the other.
I think ssl_client_ca_file was implemented later than ssl_client_ca_dir.
The comment just needs to be updated.
More information about the dovecot
mailing list