[imp] Cert Verification imap ssl

Cliff Green green@UMDNJ.EDU
Wed, 17 Jul 2002 13:43:20 -0400


Quoting Craig A Lewis <clewis@math.unm.edu>:

> 
> Hello,
> 
> No, I am not using a self signed cert; sorry I should have
> made that clearer. Our email clients use imaps and we
> are using a thawte.com cert.

Your local clients (Communicator, etc.) already have Thawte's signing cert
in their store, your imp/horde server doesn't.

You need to let openssl (and by extension PHP) know to trust your cert. 
Unless you have Thawte's current signing cert in your openssl certs
directory (which it sounds like you don't), try this:

1) Copy the cert in PEM format into the OpenSSL certs directory on your
horde/imp server (for me that's either in /usr/local/ssl/certs or
/usr/share/ssl/certs - YMMV)
2) run c_hash against it (you should find c_hash in /usr/local/ssl/misc or
/usr/share/ssl/misc) to generate the hash id for your cert
3) create a symbolic link from the pem file to the hash (e.g.: "ln -s
my_servers_imapd.pem 7d6f554a.0") so openssl can find it
4) use "'protocol' => 'imap/ssl'" in imp/config/servers.php

I've done this with five of our "private-label" certs, and it works as expected.

(PS - you might check to see if the appropriate root cert from Thawte isn't
in the ca-bundle.crt file that comes with OpenSSL;  if it is, you may be
able to get away with just creating the hash for that.)

c
-- 
Cliff Green
Academic Computing Services - UMDNJ
Signature under NDA