Fernando Rodriguez <frodriguez.develo...@outlook.com> writes:

> On Friday, September 04, 2015 9:50:43 PM lee wrote:
>> Mick <michaelkintz...@gmail.com> writes:
>> 
>> > On Friday 04 Sep 2015 08:54:19 Peter Weilbacher wrote:
>> >
>> >> Are you sure that diving right into about:config is the best way? In
>> >> SeaMonkey, take a look under Preferences -> Privacy & Security ->
>> >> Certificates. Under "Manage Certificates..." you can import your own
>> >> certificates which I think is the right way to proceed (although I
>> >> haven't tried that in a while). In the same dialog, you can also
>> >> manually add exceptions before you even go to the server.
>> >> Firefox and Thunderbird have similar dialogs.
>> >> 
>> >>    Peter.
>> >
>> > I agree with Peter, it is best you don't disable what is after all a 
> security 
>> > warning mechanism.  
>> >
>> > In Firefox you are not able to add an exception if you use a Private 
> window 
>> > (Ctrl+Shift+P).  Otherwise you should be able to.  Alternatively, have you 
>> > tried adding an exception to the server certificate manually as suggested 
> by 
>> > Peter?
>> >
>> > You can:
>> >
>> > Add your self-signed server certificate in your Server certificates 
> seamonkey 
>> > tab.  Updating the seamonkey version ought to retain any certificates you 
> have 
>> > uploaded there.  You can also set an exception in the Server's tab.  If 
> you do 
>> > not have the server certificate already on your filesystem, you can obtain 
> it 
>> > with:
>> >
>> >  openssl s_client -connect www.google.com:443 -showcerts
>> >
>> > (replace www.google.com with your server of course).  
>> >
>> > Or, you can try adding it in the RootCA tab and edit its trust there.
>> 
>> It doesn't work.  I've imported the certificate now at home, and no
>> matter what trust I set or whatever I do, I cannot connect, and I cannot
>> add an exception.
>
> Did you tried under both "My Certificates"

There's no tab labled "My Certifiactes".  There's "Your Certificates"
(which would be "mine", I guess), described as ones from organizations
that describe me (of which there are none but myself, if it comes to
that).

When I try to import the certificate I obtained with openssl as above on
that tab, it says that the certificate cannot be installed because I "do
not own the private key which was created when the certificate was
requested" --- whatever that means.

> and "Authorities" tags (or whatever 
> they're called on your version. For the Authorities/RootCA one you'll want to 
> install your CA public cert that *should* allow all certificates that you 
> issue 
> to work.

I can import it there and it makes no difference.  With the certificate
installed under "Authorities", I'm still being asked to add an exception
when I try to connect, and the buttons to add an exception are still
disabled.

> Under "My Certificates" you want the site certificate.

I don't understand: What is a site certificate?  I don't have any other
than I can download with openssl as described above.  The usual
procedure is to add an exception through the dialog that pops up for
that purpose, and that's all there is to it.  The problem is that it
doesn't let me add an exception.

Generally, an organization which provides email services to me is hardly
an organization that would manufacture a certificate that describes me
specifically in order to provide the service.  (I'm trying to connect to
the IMAP server via SSL/TLS on port 993.)

In this case, I happen to have full physical access to the server and
thus to the certificate stored on it.  This is not the case for, let's
say, an employee checking his work-email from home whom I might give the
login-data on the phone and instruct to add an exception when the dialog
to do so pops up when they are trying to connect.

When I connect to that same IMAP server with "mutt -f
imaps://example.com', mutt asks me whether I want to reject the
certificate or accept it once or always.  So I say once or always and
can log in.  It's as simple as that, no site certificate or anything but
my username and password are needed.

What is the problem with seamonkey and its relatives?

> As for not being able to add exceptions, are you using the same version that 
> is known to work for Dale?

He said he's using 2.33.1-r1.  'eix seamonkey' here shows

www-client/seamonkey
Installed versions:  2.33.1-r1

so I'm using the same.

> I think this was a change that firefox tried to push and then reverted.

If it was, it was, to put it nicely, an extremely bad idea.  Is there a
more recent version of seamonkey that works again?

I can (have to) do with seamonkey 2.30 at work and mutt at home.  This
isn't a long-term solution because it forbids updating the web browser
and email clients for everyone at work ever since.

Is this a bug of seamonkey?  I could make a bug report in that case.


-- 
Again we must be afraid of speaking of daemons for fear that daemons
might swallow us.  Finally, this fear has become reasonable.

Reply via email to