[PATCH] FAQ: add two entries concerning 'sslcacertfile'
Daniel Shahaf
d.s at daniel.shahaf.name
Sat May 14 17:56:29 UTC 2011
On Sat, 14 May 2011 11:15 +0200, "Johannes Kastl" <ojkastl at gmx.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08.05.11 21:55 Daniel Shahaf wrote:
>
> > + openssl s_client -CApath /etc/ssl/certs -connect ${hostname}:imaps -showcerts \
>
> I guess that -CApath should point to the directory (/etc/ssl/ in this
> case) and you may want to use "-CAfile /etc/ssl/certs" instead, right?
>
On my system /etc/ssl/certs/ is a directory. It contains both *.pem files and *.0 symlinks (as created by openssl's c_rehash tool) to those files:
/etc/ssl/certs/00673b5b.0 -> thawte_Primary_Root_CA.pem
The purpose of having -CApath (or -CAfile) in the openssl invocation is to verify that there is a "trust path" (certificates chain) from the system-installed CA certificates to the certificate being presented to openssl (and stored for posterity in a file offlineimap will use). You can leave it out if you have another way of verifying that the sslcacertfile's contents are indeed the correct certificate.
> Regards,
> Johannes
More information about the OfflineIMAP-project
mailing list