From ca34b1e05a7846f32880961dc34f2dcd2cf2be28 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Mon, 12 Apr 2010 19:24:28 +0200
Subject: Add R14 on c_rehash /certs/ after upgrade to OpenSSL 1.0.0.

---
 fetchmail-FAQ.html | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

(limited to 'fetchmail-FAQ.html')

diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html
index 9cc325f6..586b334e 100644
--- a/fetchmail-FAQ.html
+++ b/fetchmail-FAQ.html
@@ -186,7 +186,8 @@ messages but before deleting them</a><br/>
 <a href="#R11">R11. My server is hanging or emitting errors on CAPA.</a><br/>
 <a href="#R12">R12. Fetchmail isn't working and reports getaddrinfo
     errors.</a><br />
-<a href="#R13">R13. What does "Interrupted system call" mean?</a>
+<a href="#R13">R13. What does "Interrupted system call" mean?</a><br />
+<a href="#R14">R14. Since upgrading fetchmail/OpenSSL, I can no longer connect!</a><br />
 
 <h2 id="C_H">Hangs and lockups</h2>
 
@@ -2474,6 +2475,32 @@ declaration <tt>auth password</tt> in your .fetchmailrc.</p>
 interrupt long-running functions and will then be reported as
 "Interrupted system call". These can sometimes be timeouts.</p>
 
+<h2><a id="R14" name="R14">R14. Since upgrading fetchmail/OpenSSL, I can no longer connect!</a></h2>
+
+<p>If the upgrade you did encompassed an upgrade to OpenSSL 1.0.0 or newer, you
+may need to run <code>c_rehash</code> on your certificate directories,
+particularly if you are using local certs directories (f. i. through fetchmail's <code>--sslcertpath</code> option).</p>
+
+<p>Reason: OpenSSL 1.0.0, relative to earlier versions, uses a different hash
+for the symbolic links (symlinks) in its <code>certs/</code> directory, so you
+need to recreate the symlinks by running <kbd>c_rehash
+	/etc/ssl/certs</kbd> (adjust this to where your installation keeps its
+certificates), and you cannot easily share this certs directory with
+applications linked against older OpenSSL versions.</p>
+
+<p>Note: OpenSSL's <code>c_rehash</code> script is broken in several versions,
+which can cause malfunction if several OpenSSL tools versions are installed in
+parallel in separate directories. In such cases, you may need a workaround to
+get things going. Assuming your OpenSSL 1.0.0 is installed in
+<code>/opt/openssl1.0.0</code> and your certificates are in
+<code>/home/hans/certs</code>, you'd do this (the corresponding fetchmail
+option is <kbd>--sslcertpath /home/hans/certs</kbd> on the commandline and
+<kbd>sslcertpath /home/hans/cert</kbd> in the rcfile):</p>
+
+<pre>
+env PATH=/opt/openssl1.0.0/bin /opt/openssl1.0.0/bin/c_rehash /home/hans/certs
+</pre>
+
 <hr/>
 <h1>Hangs and lockups</h1>
 <h2><a id="H1" name="H1">H1. Fetchmail hangs when used with
-- 
cgit v1.2.3