1 |
On Saturday, September 05, 2015 1:05:06 AM lee wrote: |
2 |
> Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
3 |
> |
4 |
> > On Friday, September 04, 2015 9:50:43 PM lee wrote: |
5 |
> >> Mick <michaelkintzios@×××××.com> writes: |
6 |
> >> |
7 |
> >> > On Friday 04 Sep 2015 08:54:19 Peter Weilbacher wrote: |
8 |
> >> > |
9 |
> >> >> Are you sure that diving right into about:config is the best way? In |
10 |
> >> >> SeaMonkey, take a look under Preferences -> Privacy & Security -> |
11 |
> >> >> Certificates. Under "Manage Certificates..." you can import your own |
12 |
> >> >> certificates which I think is the right way to proceed (although I |
13 |
> >> >> haven't tried that in a while). In the same dialog, you can also |
14 |
> >> >> manually add exceptions before you even go to the server. |
15 |
> >> >> Firefox and Thunderbird have similar dialogs. |
16 |
> >> >> |
17 |
> >> >> Peter. |
18 |
> >> > |
19 |
> >> > I agree with Peter, it is best you don't disable what is after all a |
20 |
> > security |
21 |
> >> > warning mechanism. |
22 |
> >> > |
23 |
> >> > In Firefox you are not able to add an exception if you use a Private |
24 |
> > window |
25 |
> >> > (Ctrl+Shift+P). Otherwise you should be able to. Alternatively, have |
26 |
you |
27 |
> >> > tried adding an exception to the server certificate manually as |
28 |
suggested |
29 |
> > by |
30 |
> >> > Peter? |
31 |
> >> > |
32 |
> >> > You can: |
33 |
> >> > |
34 |
> >> > Add your self-signed server certificate in your Server certificates |
35 |
> > seamonkey |
36 |
> >> > tab. Updating the seamonkey version ought to retain any certificates |
37 |
you |
38 |
> > have |
39 |
> >> > uploaded there. You can also set an exception in the Server's tab. If |
40 |
> > you do |
41 |
> >> > not have the server certificate already on your filesystem, you can |
42 |
obtain |
43 |
> > it |
44 |
> >> > with: |
45 |
> >> > |
46 |
> >> > openssl s_client -connect www.google.com:443 -showcerts |
47 |
> >> > |
48 |
> >> > (replace www.google.com with your server of course). |
49 |
> >> > |
50 |
> >> > Or, you can try adding it in the RootCA tab and edit its trust there. |
51 |
> >> |
52 |
> >> It doesn't work. I've imported the certificate now at home, and no |
53 |
> >> matter what trust I set or whatever I do, I cannot connect, and I cannot |
54 |
> >> add an exception. |
55 |
> > |
56 |
> > Did you tried under both "My Certificates" |
57 |
> |
58 |
> There's no tab labled "My Certifiactes". There's "Your Certificates" |
59 |
> (which would be "mine", I guess), described as ones from organizations |
60 |
> that describe me (of which there are none but myself, if it comes to |
61 |
> that). |
62 |
> |
63 |
> When I try to import the certificate I obtained with openssl as above on |
64 |
> that tab, it says that the certificate cannot be installed because I "do |
65 |
> not own the private key which was created when the certificate was |
66 |
> requested" --- whatever that means. |
67 |
> |
68 |
> > and "Authorities" tags (or whatever |
69 |
> > they're called on your version. For the Authorities/RootCA one you'll want |
70 |
to |
71 |
> > install your CA public cert that *should* allow all certificates that you |
72 |
issue |
73 |
> > to work. |
74 |
> |
75 |
> I can import it there and it makes no difference. With the certificate |
76 |
> installed under "Authorities", I'm still being asked to add an exception |
77 |
> when I try to connect, and the buttons to add an exception are still |
78 |
> disabled. |
79 |
> |
80 |
> > Under "My Certificates" you want the site certificate. |
81 |
> |
82 |
> I don't understand: What is a site certificate? I don't have any other |
83 |
> than I can download with openssl as described above. The usual |
84 |
> procedure is to add an exception through the dialog that pops up for |
85 |
> that purpose, and that's all there is to it. The problem is that it |
86 |
> doesn't let me add an exception. |
87 |
> |
88 |
> Generally, an organization which provides email services to me is hardly |
89 |
> an organization that would manufacture a certificate that describes me |
90 |
> specifically in order to provide the service. (I'm trying to connect to |
91 |
> the IMAP server via SSL/TLS on port 993.) |
92 |
> |
93 |
> In this case, I happen to have full physical access to the server and |
94 |
> thus to the certificate stored on it. This is not the case for, let's |
95 |
> say, an employee checking his work-email from home whom I might give the |
96 |
> login-data on the phone and instruct to add an exception when the dialog |
97 |
> to do so pops up when they are trying to connect. |
98 |
> |
99 |
> When I connect to that same IMAP server with "mutt -f |
100 |
> imaps://example.com', mutt asks me whether I want to reject the |
101 |
> certificate or accept it once or always. So I say once or always and |
102 |
> can log in. It's as simple as that, no site certificate or anything but |
103 |
> my username and password are needed. |
104 |
> |
105 |
> What is the problem with seamonkey and its relatives? |
106 |
> |
107 |
> > As for not being able to add exceptions, are you using the same version |
108 |
that |
109 |
> > is known to work for Dale? |
110 |
> |
111 |
> He said he's using 2.33.1-r1. 'eix seamonkey' here shows |
112 |
> |
113 |
> www-client/seamonkey |
114 |
> Installed versions: 2.33.1-r1 |
115 |
> |
116 |
> so I'm using the same. |
117 |
> |
118 |
> > I think this was a change that firefox tried to push and then reverted. |
119 |
> |
120 |
> If it was, it was, to put it nicely, an extremely bad idea. Is there a |
121 |
> more recent version of seamonkey that works again? |
122 |
> |
123 |
> I can (have to) do with seamonkey 2.30 at work and mutt at home. This |
124 |
> isn't a long-term solution because it forbids updating the web browser |
125 |
> and email clients for everyone at work ever since. |
126 |
> |
127 |
> Is this a bug of seamonkey? I could make a bug report in that case. |
128 |
|
129 |
It is the servers tab, sorry. But I just tried and it still requires an |
130 |
exception. |
131 |
|
132 |
Adding the CA certificate and ticking all trust options does work but it seems |
133 |
not all self-signed certs have one. If when you run openssl s_client -connect |
134 |
host:443 -showcerts it list more than one cert then you want to import the |
135 |
last under authorities. |
136 |
|
137 |
You can try backing up and deleting your profile directory, if it works with a |
138 |
new one either go through all the ssl about:config settings and compare them or |
139 |
just start over with new settings and import bookmarks, etc. If you both have |
140 |
the same version then it must not be a change or bug. |
141 |
|
142 |
-- |
143 |
Fernando Rodriguez |