[PATCH] FAQ: add two entries concerning 'sslcacertfile'
Daniel Shahaf
d.s at daniel.shahaf.name
Mon May 16 10:59:15 UTC 2011
I'm sure $maintainer would favourably consider patches that clarify the
example in place and/or list the OS certificates' store locations for
other platforms.
Johannes Kastl wrote on Sun, May 15, 2011 at 19:46:44 +0200:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 14.05.11 19:56 schrieb Daniel Shahaf:
>
> > On my system /etc/ssl/certs/ is a directory. It contains both *.pem
> > files and *.0 symlinks (as created by openssl's c_rehash tool) to
> > those files:
>
> On my machine (OSX 10.6.x) just giving -CApath directory was not enough,
> I had to explicitly add a file via -CAfile.
>
> To clarify things adding an ending slash to "/etc/ssl/certs" would be nice.
>
> > The purpose of having -CApath (or -CAfile) in the openssl invocation
> > is to verify that there is a "trust path" (certificates chain) from
> > the system-installed CA certificates to the certificate being
> > presented to openssl (and stored for posterity in a file offlineimap
> > will use). You can leave it out if you have another way of verifying
> > that the sslcacertfile's contents are indeed the correct
> > certificate.
>
> As said above, just adding a directory was not enough on my machine...
>
> Regards,
> Johannes
More information about the OfflineIMAP-project
mailing list