[PATCH] FAQ: add two entries concerning 'sslcacertfile'

Daniel Shahaf d.s at daniel.shahaf.name
Mon May 16 11:59:15 BST 2011


I'm sure $maintainer would favourably consider patches that clarify the
example in place and/or list the OS certificates' store locations for
other platforms.

Johannes Kastl wrote on Sun, May 15, 2011 at 19:46:44 +0200:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Am 14.05.11 19:56 schrieb Daniel Shahaf:
> 
> > On my system /etc/ssl/certs/ is a directory.  It contains both *.pem
> > files and *.0 symlinks (as created by openssl's c_rehash tool) to
> > those files:
> 
> On my machine (OSX 10.6.x) just giving -CApath directory was not enough,
> I had to explicitly add a file via -CAfile.
> 
> To clarify things adding an ending slash to "/etc/ssl/certs" would be nice.
> 
> > The purpose of having -CApath (or -CAfile) in the openssl invocation
> > is to verify that there is a "trust path" (certificates chain) from
> > the system-installed CA certificates to the certificate being
> > presented to openssl (and stored for posterity in a file offlineimap
> > will use).  You can leave it out if you have another way of verifying
> > that the sslcacertfile's contents are indeed the correct
> > certificate.
> 
> As said above, just adding a directory was not enough on my machine...
> 
> Regards,
> Johannes




More information about the OfflineIMAP-project mailing list