| 1 |
Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
| 2 |
|
| 3 |
> On Saturday, September 05, 2015 1:05:06 AM lee wrote: |
| 4 |
>> In this case, I happen to have full physical access to the server and |
| 5 |
>> thus to the certificate stored on it. This is not the case for, let's |
| 6 |
>> say, an employee checking his work-email from home whom I might give the |
| 7 |
>> login-data on the phone and instruct to add an exception when the dialog |
| 8 |
>> to do so pops up when they are trying to connect. |
| 9 |
> |
| 10 |
> As a workaround you can create your own CA cert. I tested with a windows self- |
| 11 |
> signed cert (I guess the correct term is self-issued) and the openssl command |
| 12 |
> will show two certs. The second is the CA. |
| 13 |
> |
| 14 |
> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/ |
| 15 |
|
| 16 |
They're saying: |
| 17 |
|
| 18 |
|
| 19 |
"Whatever you see in the address field in your browser when you go to |
| 20 |
your device must be what you put under common name, even if it’s an IP |
| 21 |
address. [...] If it doesn’t match, even a properly signed certificate |
| 22 |
will not validate correctly and you’ll get the “cannot verify |
| 23 |
authenticity” error." |
| 24 |
|
| 25 |
|
| 26 |
What's the solution for a server which can be reached by different fqdns |
| 27 |
and IPs? What if the fqdns and IPs it can be reached by change over the |
| 28 |
lifetime of the certificates? |
| 29 |
|
| 30 |
|
| 31 |
How do I deploy some sort of central infrastructure all clients on the |
| 32 |
LAN and anywhere on the world will automatically use to do the simple |
| 33 |
thing of adding an exception (or whatever is required for that) so that |
| 34 |
seamonkey and relatives can be used to access email? |
| 35 |
|
| 36 |
That's letting aside that it's ridiculous to deploy such an |
| 37 |
infrastructure when the same thing could be achieved by the user |
| 38 |
clicking a button once to add an exception, as it used to be. |
| 39 |
|
| 40 |
|
| 41 |
Seriously? The result is currently a version freeze; the alternative is |
| 42 |
using unencrypted connections. After some time, the version freeze |
| 43 |
cannot be kept up. Since there are no alternative MUAs, we can only go |
| 44 |
back to unencrypted connections when that happens. And that's something |
| 45 |
I don't even want to do on the LAN. |
| 46 |
|
| 47 |
|
| 48 |
Well, I've made a bug report about this: https://bugzilla.mozilla.org/show_bug.cgi?id=1202128 |
| 49 |
|
| 50 |
|
| 51 |
-- |
| 52 |
Again we must be afraid of speaking of daemons for fear that daemons |
| 53 |
might swallow us. Finally, this fear has become reasonable. |
Archives