Fernando Rodriguez <frodriguez.develo...@outlook.com> writes: > On Friday, September 04, 2015 9:50:43 PM lee wrote: >> Mick <michaelkintz...@gmail.com> writes: >> >> > On Friday 04 Sep 2015 08:54:19 Peter Weilbacher wrote: >> > >> >> Are you sure that diving right into about:config is the best way? In >> >> SeaMonkey, take a look under Preferences -> Privacy & Security -> >> >> Certificates. Under "Manage Certificates..." you can import your own >> >> certificates which I think is the right way to proceed (although I >> >> haven't tried that in a while). In the same dialog, you can also >> >> manually add exceptions before you even go to the server. >> >> Firefox and Thunderbird have similar dialogs. >> >> >> >> Peter. >> > >> > I agree with Peter, it is best you don't disable what is after all a > security >> > warning mechanism. >> > >> > In Firefox you are not able to add an exception if you use a Private > window >> > (Ctrl+Shift+P). Otherwise you should be able to. Alternatively, have you >> > tried adding an exception to the server certificate manually as suggested > by >> > Peter? >> > >> > You can: >> > >> > Add your self-signed server certificate in your Server certificates > seamonkey >> > tab. Updating the seamonkey version ought to retain any certificates you > have >> > uploaded there. You can also set an exception in the Server's tab. If > you do >> > not have the server certificate already on your filesystem, you can obtain > it >> > with: >> > >> > openssl s_client -connect www.google.com:443 -showcerts >> > >> > (replace www.google.com with your server of course). >> > >> > Or, you can try adding it in the RootCA tab and edit its trust there. >> >> It doesn't work. I've imported the certificate now at home, and no >> matter what trust I set or whatever I do, I cannot connect, and I cannot >> add an exception. > > Did you tried under both "My Certificates"
There's no tab labled "My Certifiactes". There's "Your Certificates" (which would be "mine", I guess), described as ones from organizations that describe me (of which there are none but myself, if it comes to that). When I try to import the certificate I obtained with openssl as above on that tab, it says that the certificate cannot be installed because I "do not own the private key which was created when the certificate was requested" --- whatever that means. > and "Authorities" tags (or whatever > they're called on your version. For the Authorities/RootCA one you'll want to > install your CA public cert that *should* allow all certificates that you > issue > to work. I can import it there and it makes no difference. With the certificate installed under "Authorities", I'm still being asked to add an exception when I try to connect, and the buttons to add an exception are still disabled. > Under "My Certificates" you want the site certificate. I don't understand: What is a site certificate? I don't have any other than I can download with openssl as described above. The usual procedure is to add an exception through the dialog that pops up for that purpose, and that's all there is to it. The problem is that it doesn't let me add an exception. Generally, an organization which provides email services to me is hardly an organization that would manufacture a certificate that describes me specifically in order to provide the service. (I'm trying to connect to the IMAP server via SSL/TLS on port 993.) In this case, I happen to have full physical access to the server and thus to the certificate stored on it. This is not the case for, let's say, an employee checking his work-email from home whom I might give the login-data on the phone and instruct to add an exception when the dialog to do so pops up when they are trying to connect. When I connect to that same IMAP server with "mutt -f imaps://example.com', mutt asks me whether I want to reject the certificate or accept it once or always. So I say once or always and can log in. It's as simple as that, no site certificate or anything but my username and password are needed. What is the problem with seamonkey and its relatives? > As for not being able to add exceptions, are you using the same version that > is known to work for Dale? He said he's using 2.33.1-r1. 'eix seamonkey' here shows www-client/seamonkey Installed versions: 2.33.1-r1 so I'm using the same. > I think this was a change that firefox tried to push and then reverted. If it was, it was, to put it nicely, an extremely bad idea. Is there a more recent version of seamonkey that works again? I can (have to) do with seamonkey 2.30 at work and mutt at home. This isn't a long-term solution because it forbids updating the web browser and email clients for everyone at work ever since. Is this a bug of seamonkey? I could make a bug report in that case. -- Again we must be afraid of speaking of daemons for fear that daemons might swallow us. Finally, this fear has become reasonable.