On Mon, Jul 28, 2008 at 11:55:28AM -0700, Quanah Gibson-Mount wrote:
--On Monday, July 28, 2008 11:30 AM -0700 John Oliver joliver@john-oliver.net wrote:
On Mon, Jul 28, 2008 at 09:20:23AM +0200, Buchan Milne wrote:
Or, ensure that the "CA certificate" that the clients use contains the certificates of the issuer of both of the server certificates, and that the value of the subject CN on both certificates matches the name you use to connect to the servers.
I've tried:
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
This generates a self-signed cert without a CA. That's part of the root of your problem. By your own email, you have no concept of how SSL signing and authority works. Yet you reject the advice that's been given out of hand. Go back to the link I sent you, and set up your certs correctly, which a valid self-generated CA, or do as others have suggested, stop using SSL until you understand how it works.
I'm sorry, I'll try to be clearer. You're absolutely right in that I don't understand the intricacies of SSL. I fully understand that's a big part of the problem. But the issue in front of me is that I have a current setup that works. I'm trying to get that same functionality out of a second server. You seem to be saying that self-signed certificates just will not work, but that clearly isn't the case... the currently working system uses a self-signed cert, and works perfectly. I understand that's far from ideal. But authentication *works*. At some point, when I have time, I'd love to learn enough about this to create a working CA, and generate certificates with it, and do everything "right". But if I try to do this "right", right now, I'm far more likely to wind up with no working authentication at all.