On Sunday, September 06, 2015 4:29:25 PM lee wrote: > Mick <michaelkintz...@gmail.com> writes: > > > On Saturday 05 Sep 2015 17:22:24 lee wrote: > >> Mick <michaelkintz...@gmail.com> writes: > >> > On Saturday 05 Sep 2015 02:08:47 Fernando Rodriguez wrote: > >> >> On Saturday, September 05, 2015 1:05:06 AM lee wrote: > >> >> > In this case, I happen to have full physical access to the server and > >> >> > thus to the certificate stored on it. This is not the case for, let's > >> >> > say, an employee checking his work-email from home whom I might give > >> >> > the login-data on the phone and instruct to add an exception when the > >> >> > dialog to do so pops up when they are trying to connect. > >> >> > >> >> As a workaround you can create your own CA cert. I tested with a windows > >> >> self- signed cert (I guess the correct term is self-issued) and the > >> >> openssl command will show two certs. The second is the CA. > >> >> > >> >> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certific > >> >> ate -authority/ > >> > > >> > lee, on my FF I can import a self-signed certificate when I go to: > >> > about:preferences#advanced > >> > >> You mean to enter this as an URL, just like about:config? When I do > >> that, I'm getting "The URL is not valid and cannot be loaded. The > >> provided address is not in a recognized format. Please check the > >> location bar for mistakes and try again.". > >> > >> Maybe that only works with firefox? > > > > Yes, it seems to be the case that SeaMonkey has some GUI differences to > > Firefox. I am on Firefox-38.2.1 at present. > > Does Firefox even have a MUA built in? IIRC it's only the web browser > part of seamonkey. > > >> > and then select the 'Servers' tab. After I import it I can select it and > >> > click on the 'Add Exception' button at the bottom of the tab. Enter the > >> > http address of the server and FF should go and fetch it afresh when you > >> > click on 'Get Certificate', then tick 'Permanently store this exception' > >> > and 'Confirm Security Exception'. These buttons will be greyed out if > >> > do not download the certificate or if I am running FF in Private > >> > Browsing mode. > >> > >> I'm guessing you might be in the window that shows up when you edit > >> preferences and go to 'Privacy & Security --> Certificates --> Manage > >> Certificates ...' and then to the "Servers" tab. > > > > Yes, this is the location I am referring to. However, if it is hanging and > > not connecting to the server to fetch the certificate something is not right. > > This is the reason with the exception button it greyed out. > > > > I can't recall if you tried this: > > > > Can you please remove it from Servers and try adding it to the Authorities > > tab? Your version may have additional verification checks for self-signed > > certificates, because they essentially acting as their own Root CAs. > > Yes, I tried that. > > >> From there, I can import the certificate I downloaded with openssl. > >> Once imported, I can click on "Add Exceptions". That gives me the same > >> dialog which comes up when I'm trying to connect which doesn't allow me > >> to add an exception because the buttons to do so are disabled. The > >> dialog remains stuck at "Checking Information" indefinitely. > >> > >> I'm attaching a screenshot: > > > > The fact that it is hanging and not obtaining the certificate makes me wonder > > if you need to specify a domain name in the CN field of the certificate, > > identical to the full URI that the client is trying to connect to. > > That brings us back to the impractical idea of trying to bind a > certificate to a specific fqdn or IP, or to a number of those. > > Is it possible to create a certificate that doesn't use either but a > wildcard only? I don't understand why or how an fqdn/IP in a > certificate could or should be relevant at all. > > When creating the certificate, I have used the fqdn the host does > actually have and knows itself by (because I needed to fill in the > fields, and it seemed most reasonable to use the actual host name). > > That this host can be reached at all, via different fqdns and IPs, is a > matter of network traffic (re-)direction and of how the DNS-entries > currently happen to be. They are all transparent and irrelevant to the > user/client and subject to change. Why should they matter for a > certificate which is supposed to let me figure out whether I'm > connecting to the host I'm expecting to connect to, or to something > else? > > When a friend calls you on the phone, you do not insist that they are > not your friend and reject their call just because they're calling you > from a different phone number. You do not reject their call and insist > that they are not your friend because the call has been (re-)directed > over a satellite or goes through an asterisk server. You do not insist > that your friend is someone else when they show up at your door wearing > different cloths than they usually do. Instead, you figure out that the > caller, or the person at your door, is your friend by the human > equivalent of a certificate.
An SSL certificate provides both encryption and authentication. For the encryption part it's simple, you own the private key, the certificate has the public key, so only you can decrypt whatever is encrypted with it. Authentication is more complicated. It's easy if you think of if like a driver license. The hostname is like the photo, if I get pulled over and hand over a stolen license to the officer he'll know it's not me by looking at the photo. Your browser does the same with the hostname, if somebody steals your private key they will also have to steal your domain name to impersonate you. If somebody grabs a hold of your CA's private key is like stealing the DMV printer, now they can issue themselves a license with your name and their own picture. But if they hand it over to an officer he will call it in and find out it's fake, that's the equivalent of revocation lists and ocsp. Of course it only works because we trust the DMV (or the CA in this case) to be diligent in verifying you are who you say you are before issuing a license or certificate. So it all doesn't apply as much to self issued certificates but it still applies to some extent. -- Fernando Rodriguez
