Mick <michaelkintz...@gmail.com> writes: > On Saturday 05 Sep 2015 17:22:24 lee wrote: >> Mick <michaelkintz...@gmail.com> writes: >> > On Saturday 05 Sep 2015 02:08:47 Fernando Rodriguez wrote: >> >> On Saturday, September 05, 2015 1:05:06 AM lee wrote: >> >> > In this case, I happen to have full physical access to the server and >> >> > thus to the certificate stored on it. This is not the case for, let's >> >> > say, an employee checking his work-email from home whom I might give >> >> > the login-data on the phone and instruct to add an exception when the >> >> > dialog to do so pops up when they are trying to connect. >> >> >> >> As a workaround you can create your own CA cert. I tested with a windows >> >> self- signed cert (I guess the correct term is self-issued) and the >> >> openssl command will show two certs. The second is the CA. >> >> >> >> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certific >> >> ate -authority/ >> > >> > lee, on my FF I can import a self-signed certificate when I go to: >> > about:preferences#advanced >> >> You mean to enter this as an URL, just like about:config? When I do >> that, I'm getting "The URL is not valid and cannot be loaded. The >> provided address is not in a recognized format. Please check the >> location bar for mistakes and try again.". >> >> Maybe that only works with firefox? > > Yes, it seems to be the case that SeaMonkey has some GUI differences to > Firefox. I am on Firefox-38.2.1 at present.
Does Firefox even have a MUA built in? IIRC it's only the web browser part of seamonkey. >> > and then select the 'Servers' tab. After I import it I can select it and >> > click on the 'Add Exception' button at the bottom of the tab. Enter the >> > http address of the server and FF should go and fetch it afresh when you >> > click on 'Get Certificate', then tick 'Permanently store this exception' >> > and 'Confirm Security Exception'. These buttons will be greyed out if >> > do not download the certificate or if I am running FF in Private >> > Browsing mode. >> >> I'm guessing you might be in the window that shows up when you edit >> preferences and go to 'Privacy & Security --> Certificates --> Manage >> Certificates ...' and then to the "Servers" tab. > > Yes, this is the location I am referring to. However, if it is hanging and > not connecting to the server to fetch the certificate something is not right. > > This is the reason with the exception button it greyed out. > > I can't recall if you tried this: > > Can you please remove it from Servers and try adding it to the Authorities > tab? Your version may have additional verification checks for self-signed > certificates, because they essentially acting as their own Root CAs. Yes, I tried that. >> From there, I can import the certificate I downloaded with openssl. >> Once imported, I can click on "Add Exceptions". That gives me the same >> dialog which comes up when I'm trying to connect which doesn't allow me >> to add an exception because the buttons to do so are disabled. The >> dialog remains stuck at "Checking Information" indefinitely. >> >> I'm attaching a screenshot: > > The fact that it is hanging and not obtaining the certificate makes me wonder > if you need to specify a domain name in the CN field of the certificate, > identical to the full URI that the client is trying to connect to. That brings us back to the impractical idea of trying to bind a certificate to a specific fqdn or IP, or to a number of those. Is it possible to create a certificate that doesn't use either but a wildcard only? I don't understand why or how an fqdn/IP in a certificate could or should be relevant at all. When creating the certificate, I have used the fqdn the host does actually have and knows itself by (because I needed to fill in the fields, and it seemed most reasonable to use the actual host name). That this host can be reached at all, via different fqdns and IPs, is a matter of network traffic (re-)direction and of how the DNS-entries currently happen to be. They are all transparent and irrelevant to the user/client and subject to change. Why should they matter for a certificate which is supposed to let me figure out whether I'm connecting to the host I'm expecting to connect to, or to something else? When a friend calls you on the phone, you do not insist that they are not your friend and reject their call just because they're calling you from a different phone number. You do not reject their call and insist that they are not your friend because the call has been (re-)directed over a satellite or goes through an asterisk server. You do not insist that your friend is someone else when they show up at your door wearing different cloths than they usually do. Instead, you figure out that the caller, or the person at your door, is your friend by the human equivalent of a certificate. -- Again we must be afraid of speaking of daemons for fear that daemons might swallow us. Finally, this fear has become reasonable.
