On Mon, Jan 11, 2010 at 05:49:09PM +0100, Dominique Marant wrote:
Hi,
Few users have their client (Thunderbird, ...) configured with a
certificate, client side certificate. In this case, the connection
perdition SSL abort with Fatal error :
The error log is :
error: unable to get local issuer certificate
Fatal error establishing TLS connection
With ssl_no_cert_verify="on", it's running successfully.
But could you tell me if it's a good setting (the most of the users
don't have certificat client).
Hi Dominique,
sorry about the cryptic nature of that message.
It isn't referring to the connection between the end-user (Thunderbird)
and perdition, but rather the connection between perdition and
the real-server. To be clear, perdition doesn't request client certificates.
The message says that the certificate for the issuer of the
server's certificate is not available locally and thus perdition
can't verify the server's certificate.
There are two options here:
1. Use ssl_no_cert_verify, which tells perdition not to try
and verify the certificate's issuer. This is not a great option
because it somewhat defeats the purpose of SSL. For example,
it allows someone to do a man-in-the middle attack using
a different certificate. This may or may not be of concern
to you for connections from perdition to a real-server.
2. Give the issuers certificate to perdition.
This can be achieved using the ssl_ca_file and/or ssl_ca_path
options.
On Debian systems a supply of Root CA certificates is provided
by the ca-certificates package. For example the following
works with my ISP's mail server's certificate.
ssl_ca_file /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt
Be aware that if you use the ssl_ca_path option you will need to run
s_rehash . in the directory in order for openssl (and thus perdition)
to be able to find certificates in the directory. This is described
in minimal detail at the bottom of the SSL_CTX_load_verify_locations
manpage.