On Saturday, September 05, 2015 1:05:06 AM lee wrote: > Fernando Rodriguez <frodriguez.develo...@outlook.com> writes: > > > On Friday, September 04, 2015 9:50:43 PM lee wrote: > >> Mick <michaelkintz...@gmail.com> writes: > >> > >> > On Friday 04 Sep 2015 08:54:19 Peter Weilbacher wrote: > >> > > >> >> Are you sure that diving right into about:config is the best way? In > >> >> SeaMonkey, take a look under Preferences -> Privacy & Security -> > >> >> Certificates. Under "Manage Certificates..." you can import your own > >> >> certificates which I think is the right way to proceed (although I > >> >> haven't tried that in a while). In the same dialog, you can also > >> >> manually add exceptions before you even go to the server. > >> >> Firefox and Thunderbird have similar dialogs. > >> >> > >> >> Peter. > >> > > >> > I agree with Peter, it is best you don't disable what is after all a > > security > >> > warning mechanism. > >> > > >> > In Firefox you are not able to add an exception if you use a Private > > window > >> > (Ctrl+Shift+P). Otherwise you should be able to. Alternatively, have you > >> > tried adding an exception to the server certificate manually as suggested > > by > >> > Peter? > >> > > >> > You can: > >> > > >> > Add your self-signed server certificate in your Server certificates > > seamonkey > >> > tab. Updating the seamonkey version ought to retain any certificates you > > have > >> > uploaded there. You can also set an exception in the Server's tab. If > > you do > >> > not have the server certificate already on your filesystem, you can obtain > > it > >> > with: > >> > > >> > openssl s_client -connect www.google.com:443 -showcerts > >> > > >> > (replace www.google.com with your server of course). > >> > > >> > Or, you can try adding it in the RootCA tab and edit its trust there. > >> > >> It doesn't work. I've imported the certificate now at home, and no > >> matter what trust I set or whatever I do, I cannot connect, and I cannot > >> add an exception. > > > > Did you tried under both "My Certificates" > > There's no tab labled "My Certifiactes". There's "Your Certificates" > (which would be "mine", I guess), described as ones from organizations > that describe me (of which there are none but myself, if it comes to > that). > > When I try to import the certificate I obtained with openssl as above on > that tab, it says that the certificate cannot be installed because I "do > not own the private key which was created when the certificate was > requested" --- whatever that means. > > > and "Authorities" tags (or whatever > > they're called on your version. For the Authorities/RootCA one you'll want to > > install your CA public cert that *should* allow all certificates that you issue > > to work. > > I can import it there and it makes no difference. With the certificate > installed under "Authorities", I'm still being asked to add an exception > when I try to connect, and the buttons to add an exception are still > disabled. > > > Under "My Certificates" you want the site certificate. > > I don't understand: What is a site certificate? I don't have any other > than I can download with openssl as described above. The usual > procedure is to add an exception through the dialog that pops up for > that purpose, and that's all there is to it. The problem is that it > doesn't let me add an exception. > > Generally, an organization which provides email services to me is hardly > an organization that would manufacture a certificate that describes me > specifically in order to provide the service. (I'm trying to connect to > the IMAP server via SSL/TLS on port 993.) > > In this case, I happen to have full physical access to the server and > thus to the certificate stored on it. This is not the case for, let's > say, an employee checking his work-email from home whom I might give the > login-data on the phone and instruct to add an exception when the dialog > to do so pops up when they are trying to connect. > > When I connect to that same IMAP server with "mutt -f > imaps://example.com', mutt asks me whether I want to reject the > certificate or accept it once or always. So I say once or always and > can log in. It's as simple as that, no site certificate or anything but > my username and password are needed. > > What is the problem with seamonkey and its relatives? > > > As for not being able to add exceptions, are you using the same version that > > is known to work for Dale? > > He said he's using 2.33.1-r1. 'eix seamonkey' here shows > > www-client/seamonkey > Installed versions: 2.33.1-r1 > > so I'm using the same. > > > I think this was a change that firefox tried to push and then reverted. > > If it was, it was, to put it nicely, an extremely bad idea. Is there a > more recent version of seamonkey that works again? > > I can (have to) do with seamonkey 2.30 at work and mutt at home. This > isn't a long-term solution because it forbids updating the web browser > and email clients for everyone at work ever since. > > Is this a bug of seamonkey? I could make a bug report in that case.
It is the servers tab, sorry. But I just tried and it still requires an exception. Adding the CA certificate and ticking all trust options does work but it seems not all self-signed certs have one. If when you run openssl s_client -connect host:443 -showcerts it list more than one cert then you want to import the last under authorities. You can try backing up and deleting your profile directory, if it works with a new one either go through all the ssl about:config settings and compare them or just start over with new settings and import bookmarks, etc. If you both have the same version then it must not be a change or bug. -- Fernando Rodriguez
