Fernando Rodriguez <frodriguez.develo...@outlook.com> writes: > On Saturday, September 05, 2015 1:05:06 AM lee wrote: >> In this case, I happen to have full physical access to the server and >> thus to the certificate stored on it. This is not the case for, let's >> say, an employee checking his work-email from home whom I might give the >> login-data on the phone and instruct to add an exception when the dialog >> to do so pops up when they are trying to connect. > > As a workaround you can create your own CA cert. I tested with a windows self- > signed cert (I guess the correct term is self-issued) and the openssl command > will show two certs. The second is the CA. > > http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
They're saying: "Whatever you see in the address field in your browser when you go to your device must be what you put under common name, even if it’s an IP address. [...] If it doesn’t match, even a properly signed certificate will not validate correctly and you’ll get the “cannot verify authenticity” error." What's the solution for a server which can be reached by different fqdns and IPs? What if the fqdns and IPs it can be reached by change over the lifetime of the certificates? How do I deploy some sort of central infrastructure all clients on the LAN and anywhere on the world will automatically use to do the simple thing of adding an exception (or whatever is required for that) so that seamonkey and relatives can be used to access email? That's letting aside that it's ridiculous to deploy such an infrastructure when the same thing could be achieved by the user clicking a button once to add an exception, as it used to be. Seriously? The result is currently a version freeze; the alternative is using unencrypted connections. After some time, the version freeze cannot be kept up. Since there are no alternative MUAs, we can only go back to unencrypted connections when that happens. And that's something I don't even want to do on the LAN. Well, I've made a bug report about this: https://bugzilla.mozilla.org/show_bug.cgi?id=1202128 -- Again we must be afraid of speaking of daemons for fear that daemons might swallow us. Finally, this fear has become reasonable.
