[imp] What to do about the root of our certificate chain?
Michael M Slusarz
slusarz at horde.org
Tue May 23 15:27:26 PDT 2006
Quoting Otto Stolz <Otto.Stolz at uni-konstanz.de>:
> Hello,
>
> horde/imp/test.php tells me, that the root CA in our certificate chain is
> unknown:
>> * Trying protocol imap/ssl, Port 993:
>> ERROR - The server returned the following error message:
>> Certificate failure for popserver.uni-konstanz.de: self signed certificate
>> in certificate chain: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
>> Classic - G01
>
> Consequently, it recommends the imap/ssl/novalidate-cert protocol.
> I'd rather use the imap/ssl protocoll, so all certificates are checked
> against the certificate chain, back to the root CA.
>
> I do not really understand the error message quoted above.
> - I thought that Imp contacts the IMAP server which presents a certificate
> to Imp so it can check that it is contacting the real server (and no
> fake IMAP server). But then, which server tells Imp that the CA
> chain is broken?
> - Or is it so that Imp has to present a certificate to the IMAP server
> so it can be sure that the right client is requesting its services?
>
> In the 1st case, the question does arise: Where is the list of root CAs
> Imp is consulting, and how can I add to it the CA in charge of us?
>
> In the 2nd case, the question is: Where do I have to put the certificate
> Imp should present to the server? (And I would have to ask the colleague
> in charge of the IMAP server to add the root CA to his list.)
This is a c-client issue. See, e.g., src/osdep/unix/Makefile in the
c-client distribution (namely the SSLCERTS variable).
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the imp
mailing list