[PATCH] FAQ: add two entries concerning 'sslcacertfile'

Daniel Shahaf d.s at daniel.shahaf.name
Sat May 14 18:56:29 BST 2011



On Sat, 14 May 2011 11:15 +0200, "Johannes Kastl" <ojkastl at gmx.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 08.05.11 21:55 Daniel Shahaf wrote:
> 
> > +    openssl s_client -CApath /etc/ssl/certs -connect ${hostname}:imaps -showcerts \
> 
> I guess that -CApath should point to the directory (/etc/ssl/ in this
> case) and you may want to use "-CAfile /etc/ssl/certs" instead, right?
> 

On my system /etc/ssl/certs/ is a directory.  It contains both *.pem files and *.0 symlinks (as created by openssl's c_rehash tool) to those files:

/etc/ssl/certs/00673b5b.0 -> thawte_Primary_Root_CA.pem

The purpose of having -CApath (or -CAfile) in the openssl invocation is to verify that there is a "trust path" (certificates chain) from the system-installed CA certificates to the certificate being presented to openssl (and stored for posterity in a file offlineimap will use).  You can leave it out if you have another way of verifying that the sslcacertfile's contents are indeed the correct certificate.

> Regards,
> Johannes




More information about the OfflineIMAP-project mailing list