On Saturday 05 Sep 2015 22:40:09 Fernando Rodriguez wrote: > On Saturday, September 05, 2015 6:09:36 PM Mick wrote: > > On Saturday 05 Sep 2015 14:06:27 lee wrote: > > > Fernando Rodriguez <frodriguez.develo...@outlook.com> writes: > > > > On Saturday, September 05, 2015 1:05:06 AM lee wrote: > > > >> In this case, I happen to have full physical access to the server > > > >> and thus to the certificate stored on it. This is not the case > > > >> for, let's say, an employee checking his work-email from home whom > > > >> I might give > > the > > > > >> login-data on the phone and instruct to add an exception when the > > dialog > > > > >> to do so pops up when they are trying to connect. > > > > > > > > As a workaround you can create your own CA cert. I tested with a > > > > windows self- signed cert (I guess the correct term is self-issued) > > > > and the openssl command will show two certs. The second is the CA. > > > > > > > > http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certi > > > > fica te-authority/ > > > > > > They're saying: > > > > > > > > > "Whatever you see in the address field in your browser when you go to > > > your device must be what you put under common name, even if it’s an IP > > > address. [...] If it doesn’t match, even a properly signed > > > certificate will not validate correctly and you’ll get the “cannot > > > verify > > > authenticity” error." > > > > > > > > > What's the solution for a server which can be reached by different > > > fqdns and IPs? What if the fqdns and IPs it can be reached by change > > > over the lifetime of the certificates? > > > > If we are talking about changing subdomains, e.g. > > mailserver1.mydomain.com > > and > > > mailserver2.mydomain.com then you could use a wildcard CN field > > descriptor in your certificate: *.mydomain.com > > > > If we are talking about a multidomain certificate, then you would have > > the main domain name in CN and add all the remaining domain names in the > > subjectAltName field. > > > > For example: > > > > [req] > > req_extensions = v3_req > > > > [ v3_req ] > > > > # Extensions to add to a certificate request > > [snip...] > > > > subjectAltName = @alt_names > > > > [alt_names] > > DNS.1 = mydomain.com > > DNS.2 = mydomain.net > > DNS.3 = www.mydomain.com > > DNS.4 = mx.sub.mydomain.com > > DNS.5 = mx.someotherdomain.com > > IP.1 = 123.456.78.9 > > IP.2 = 987.654.32.1 > > > > You could specify the same on the CLI when you are generating the self > > signed > > > certificate. > > > > > How do I deploy some sort of central infrastructure all clients on the > > > LAN and anywhere on the world will automatically use to do the simple > > > thing of adding an exception (or whatever is required for that) so that > > > seamonkey and relatives can be used to access email? > > > > > > That's letting aside that it's ridiculous to deploy such an > > > infrastructure when the same thing could be achieved by the user > > > clicking a button once to add an exception, as it used to be. > > > > This I think is primarily a problem of the latest version of SeaMonkey. > > I suspect they have inadvertently added a regression bug. > > > > > Seriously? The result is currently a version freeze; the alternative > > > is using unencrypted connections. After some time, the version freeze > > > cannot be kept up. Since there are no alternative MUAs, we can only > > > go back to unencrypted connections when that happens. And that's > > > something I don't even want to do on the LAN. > > > > > > > > > Well, I've made a bug report about this: > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1202128 > > > > Also have a look at this bug, in case it is related: > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1036338 > > Wildcards should do it. The browser will give you a warning but you don't > care since all you want is encryption and your users already trust you. > > The only thing that matters about that article is that you'll be signing > your certificate with the CA ones so you get two certificates when you run > the openssl command, the last one is the CA certificate. If you, or your > users add trust to that one, anything you sign with it will be trusted. > > I only tried it with a windows server issued certificate which does all > that by default. > > Since it lets you open the exception dialog but just hangs when downloading > the certificate I wonder if it has something to do with your OCSP settings. > Check that they match mine: > > security.OCSP.GET.enabled false > security.OCSP.enabled 1 > security.OCSP.require false > > everything else is true.
Some reports mention a couple of workarounds which may solve this problem: 1. Remove your certificate from *any* tabs that may have been saved in. Check that it is no longer stored in any tab. Then try to reload it in the Authorities tab and see if it will allow you to set up an exception. 2. I think you mentioned that you tried a fresh profile, but just in case: Make a back up of your Mozilla Profile. Go to Help/Troubleshooting and select Refresh Firefox (or the equivalent for the SeaMonkey GUI). HTH. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
