What is OpenSSL?

PacNeil says: First we must define SSL..

From the Internet Draft Specification :

*"The primary goal of the SSL Protocol is to provide privacy and reliability between two communicating applications. The protocol is composed of two layers. At the lowest level, layered on top of some reliable transport protocol (e.g., TCP ), is the SSL Record Protocol. The SSL Record Protocol is used for encapsulation of various higher level protocols. One such encapsulated protocol, the SSL Handshake Protocol, allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data. One advantage of SSL is that it is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently."*

From OpenSSL.org :

"The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation."

"OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions."

What is PKCS#7?

RSA says: "Cryptographic Message Syntax Standard"

"This standard describes general syntax for data that may have cryptography applied to it, such as digital signatures and digital envelopes."

It seems that PKCS#7 is the public-key only certificate.

What is PKCS#12?

RSA says: "Personal Information Exchange Syntax Standard"

'"This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc."

It seems that PKCS#12 is used for private storage of the public and private keys. This allows you to take the certificate from the LRA to your mail client in a mostly-secure fashion, as the keys are encrypted with a password within the certificate.

Can I use PKCS#7 and/or PKCS#12 with mutt ?

*There are reports that you can use OpenSSL with [mutt|Mutt]? once you convert the PKCS#-style certificates into something that OpenSSL understands.*

Can I use OpenSSL with mutt ?

PacNeil says: Yes. I am using SSL, actually in this context it's known as TLS, to encrypt my imap connections to my server. [Here|http://mutt.sourceforge.net/imap/]? are instructions on setting up mutt to use tls. Of course the server on the other end must be capable of doing TLS. There is a file (/usr/share/doc/mutt-1.4i/README.SSL on my system) that explains how.

*"If you want to have SSL support in mutt, you need to install OpenSSL libraries and headers before compiling. OpenSSL versions 0.9.3 through 0.9.6a have been tested."*

*"For SSL support to be enabled, you need to run the "configure" script with "--enable-imap --with-ssl" parameters. If the OpenSSL headers and libraries are not in the default system search paths (usually /usr/include and /usr/lib) you can use the optional argument to define the root directory of your installation. The libraries are then expected to be found in /lib and headers in /include/openssl."*

"Each time a server is contacted, its certificate is checked against known valid certificates. When an unknown certificate is encountered, you are asked to verify it. If you reject the certificate, the connection will be terminated immediately. If you accept the certificate, the connection will be established. Accepted certificates can also be saved so that further connections to the server are automatically accepted."

"Certificates will be saved in the file specified by $certificate_file variable. It is empty as default, so if you don't want to verify certificates each time you connect to a server, you have set this variable to some reasonable value."

'"For example:" :: set certificate_file~/.mutt/certificates

To use mutt with pops:

"If Mutt was compiled with SSL support (by running the configure script with the --with-ssl flag), connections to POP3 servers can be encrypted. This naturally requires that the server supports SSL encrypted connections. To access a folder with POP3/SSL, you should use pops: prefix, ie:" :

        pops://[username@]popserver[:port]/.