search for: ssl_ctx_load_verify_locations

...i_fatal_status(FATAL_OUTOFMEM, "X509_NAME_dup() failed"); - sk_X509_NAME_push(*xnames_r, xname); - } - } - if(itmp->crl) - X509_STORE_add_crl(store, itmp->crl); + struct stat statbuf; + int ret = 0; + stat(ca, &statbuf); + + if (S_ISDIR(statbuf.st_mode)) { + ret = SSL_CTX_load_verify_locations(ssl_ctx, NULL, ca); + } else { + ret = SSL_CTX_load_verify_locations(ssl_ctx, ca, NULL); + } + if (!ret) { + i_fatal("SSL_CTX_load_verify_locations() failed: %s", ssl_last_error()); } - sk_X509_INFO_pop_free(inf, X509_INFO_free); } -static STACK_OF(X509_NAME) * -ssl_proxy_ctx_init(...

...libssl_iostream_openssl.so ERR_peek_error ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so DH_free ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so X509_NAME_ENTRY_get_data ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so d2i_DHparams ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so SSL_CTX_load_verify_locations ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so SSL_set_bio ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so SSL_CTX_set_tmp_dh_callback ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so i2d_DHparams ../lib-ssl-iostream/.libs/libssl_iostream_openssl.so X509_NAME_get_index_by_NID ../lib-...

...list' /usr/lib/mysql/libmysqlclient.a(viosslfactories.o)(.text+0x326): In function `new_VioSSLConnectorFd': : undefined reference to `SSL_CTX_set_verify' /usr/lib/mysql/libmysqlclient.a(viosslfactories.o)(.text+0x350): In function `new_VioSSLConnectorFd': : undefined reference to `SSL_CTX_load_verify_locations' /usr/lib/mysql/libmysqlclient.a(viosslfactories.o)(.text+0x379): In function `new_VioSSLConnectorFd': : undefined reference to `SSL_CTX_ctrl' /usr/lib/mysql/libmysqlclient.a(viosslfactories.o)(.text+0x381): In function `new_VioSSLConnectorFd': : undefined reference to `DH_free...

...> client's certs and it turned out that OpenVPN had silently stopped > honoring the CRLs somewhere along the update path (dovecot still > enforces them). I had to QuickFix the OpenVPN config from the above > monolithic file over to a CApath > > https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#notes > > to successfully lock the disgraced client out. > > Regards, > J. Bern OpenVPN has --crl-verify that takes a file as well as a directory. I guess what you're saying is that accepts, but silently ignores the CRLs if put in the cert file. It would be nicest i...

Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required

The result is the same with or without "<" before the file path. With "<" the inode atime is updated at Dovecot startup, so the file is at least opened, but Dovecot still can't verify the cert. The only place in the Wiki that shows an example of ssl_client_ca_file is on this page, and there's no "<" in front of the file path:

...39; /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `SSL_get_error at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `SSL_get_peer_certificate at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `SSL_CTX_load_verify_locations at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `SSL_CTX_use_PrivateKey at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined reference to `DH_free at OPENSSL_1.0.0' /usr/local/lib/dovecot/libdovecot-storage.so: undefined refe...

...X_use_certificate_chain_file(sslContext, certfile)){ err = ERR_get_error(); fprintf(stderr, "SSL: error reading certificate from file %s: %s\n", certfile, ERR_error_string(err, NULL)); @@ -146,9 +154,11 @@ cacertFile = NULL; if(!SSL_CTX_load_verify_locations(sslContext, cacertFile, cacertDir)){ err = ERR_get_error(); - fprintf(stderr, "SSL: Error error setting CA cert locations: %s\n", - ERR_error_string(err, NULL)); - fprintf(stderr, "trying default locations.\n"); + if (cacertFile || cacertDir...