diff options
| author | Thomas Roessler <roessler@does-not-exist.org> | 2000-05-28 20:28:52 +0000 |
|---|---|---|
| committer | Thomas Roessler <roessler@does-not-exist.org> | 2000-05-28 20:28:52 +0000 |
| commit | bf0abf24a798c83afd0fed227f8cb418ad6a1a7e (patch) | |
| tree | 04bced8c732a84709b585acf2365eb10a827862a /README.SSL | |
| parent | 00da1d77e512dfe85e53db56115c06c7ce83a38d (diff) | |
SSL certificate verification fixes from Tommi Komulainen.
Diffstat (limited to 'README.SSL')
| -rw-r--r-- | README.SSL | 29 |
1 files changed, 23 insertions, 6 deletions
@@ -41,16 +41,33 @@ $EGDSOCKET (if this environment variable is set), ~/.entropy and described above. +Certificates +------------ Each time a server is contacted, its certificate is checked against known valid certificates. When an unknown certificate is encountered, you are asked to verify it. If you reject the certificate, the connection will be terminated immediately. If you accept the -certificate, the connection will be established. If you accept the -certificate, you can also save it so that further connections to the -server are automatically accepted. Certificates will be saved in the -file specified by $certificate_file variable. It is empty as default, -so if you don't want to verify certificates each time you connect to a -server, you have set this variable to some reasonable value. +certificate, the connection will be established. Accepted certificates +can also be saved so that further connections to the server are +automatically accepted. + +If your organization has several equivalent IMAP-servers, each of them +should have a unique certificate which is signed with a common +certificate. If you want to use all of those servers, you don't need to +save each server certificate on the first connect. Instead, you can get +the signer certificate and save it instead. That way, mutt will +automatically accept all certificates signed with the saved certificate. + +System-wide certificates are by default considered trusted when checking +certificates by signer. This allows system administrators to setup +trusted certificates for all users. How to install certificates +system-wide, depends on the OpenSSL installation. Use of system-wide +certificates can be disabled by unsetting $ssl_usesystemcerts variable. + +Certificates will be saved in the file specified by $certificate_file +variable. It is empty as default, so if you don't want to verify +certificates each time you connect to a server, you have set this +variable to some reasonable value. For example: set certificate_file=~/.mutt/certificates |