Setting SSL certificate authority?

Setting SSL certificate authority?

[Dave Abrahams]

Hi,

I've been connecting to my IMAP server with SSL, but the other day a 
certificate expired and I had to turn SSL off.  My sysadmin has volunteered to 
set up a local certificate authority so we can avoid buying new certificates.  
That'd be secure enough for me if I knew how to tell Gnus to use that 
authority.  Can anyone help?

Thanks in advance,
Dave

--
Dave Abrahams
Boost Consulting
http://www.boost-consulting.com

Re: Setting SSL certificate authority?

[Andrew A. Raines]

Dave Abrahams <dave@boost-consulting.com> writes:

> I've been connecting to my IMAP server with SSL, but the other day
> a certificate expired and I had to turn SSL off.  My sysadmin has
> volunteered to set up a local certificate authority so we can avoid
> buying new certificates.  That'd be secure enough for me if I knew
> how to tell Gnus to use that authority.  Can anyone help?

The Emacs minibuffer tells me `nnimap-stream ssl' is using openssl
s_client under the covers.  Can't you just add the CA cert to
/etc/ssl/certs or /usr/local/ssl/certs or whatever makes sense for
your OpenSSL installation?

-- 
    aaraines@pobox.com (Andrew A. Raines)

Re: Setting SSL certificate authority?

[Simon Josefsson]

Dave Abrahams <dave@boost-consulting.com> writes:

> Hi,
>
> I've been connecting to my IMAP server with SSL, but the other day a 
> certificate expired and I had to turn SSL off.  My sysadmin has volunteered to 
> set up a local certificate authority so we can avoid buying new certificates.  
> That'd be secure enough for me if I knew how to tell Gnus to use that 
> authority.  Can anyone help?

Do you use OpenSSL, starttls or GnuTLS?

GnuTLS is the recommend solution, if you use it: customize
`tls-program' and add a --x509cafile parameter pointing at the CA
file.

IIRC, OpenSSL and starttls doesn't quit on verification failures.
What went wrong when the certificate expired?