| 1 |
On Saturday, September 05, 2015 1:05:06 AM lee wrote: |
| 2 |
> Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
| 3 |
> |
| 4 |
> > On Friday, September 04, 2015 9:50:43 PM lee wrote: |
| 5 |
> >> Mick <michaelkintzios@×××××.com> writes: |
| 6 |
> >> |
| 7 |
> >> > On Friday 04 Sep 2015 08:54:19 Peter Weilbacher wrote: |
| 8 |
> >> > |
| 9 |
> >> >> Are you sure that diving right into about:config is the best way? In |
| 10 |
> >> >> SeaMonkey, take a look under Preferences -> Privacy & Security -> |
| 11 |
> >> >> Certificates. Under "Manage Certificates..." you can import your own |
| 12 |
> >> >> certificates which I think is the right way to proceed (although I |
| 13 |
> >> >> haven't tried that in a while). In the same dialog, you can also |
| 14 |
> >> >> manually add exceptions before you even go to the server. |
| 15 |
> >> >> Firefox and Thunderbird have similar dialogs. |
| 16 |
> >> >> |
| 17 |
> >> >> Peter. |
| 18 |
> >> > |
| 19 |
> >> > I agree with Peter, it is best you don't disable what is after all a |
| 20 |
> > security |
| 21 |
> >> > warning mechanism. |
| 22 |
> >> > |
| 23 |
> >> > In Firefox you are not able to add an exception if you use a Private |
| 24 |
> > window |
| 25 |
> >> > (Ctrl+Shift+P). Otherwise you should be able to. Alternatively, have |
| 26 |
you |
| 27 |
> >> > tried adding an exception to the server certificate manually as |
| 28 |
suggested |
| 29 |
> > by |
| 30 |
> >> > Peter? |
| 31 |
> >> > |
| 32 |
> >> > You can: |
| 33 |
> >> > |
| 34 |
> >> > Add your self-signed server certificate in your Server certificates |
| 35 |
> > seamonkey |
| 36 |
> >> > tab. Updating the seamonkey version ought to retain any certificates |
| 37 |
you |
| 38 |
> > have |
| 39 |
> >> > uploaded there. You can also set an exception in the Server's tab. If |
| 40 |
> > you do |
| 41 |
> >> > not have the server certificate already on your filesystem, you can |
| 42 |
obtain |
| 43 |
> > it |
| 44 |
> >> > with: |
| 45 |
> >> > |
| 46 |
> >> > openssl s_client -connect www.google.com:443 -showcerts |
| 47 |
> >> > |
| 48 |
> >> > (replace www.google.com with your server of course). |
| 49 |
> >> > |
| 50 |
> >> > Or, you can try adding it in the RootCA tab and edit its trust there. |
| 51 |
> >> |
| 52 |
> >> It doesn't work. I've imported the certificate now at home, and no |
| 53 |
> >> matter what trust I set or whatever I do, I cannot connect, and I cannot |
| 54 |
> >> add an exception. |
| 55 |
> > |
| 56 |
> > Did you tried under both "My Certificates" |
| 57 |
> |
| 58 |
> There's no tab labled "My Certifiactes". There's "Your Certificates" |
| 59 |
> (which would be "mine", I guess), described as ones from organizations |
| 60 |
> that describe me (of which there are none but myself, if it comes to |
| 61 |
> that). |
| 62 |
> |
| 63 |
> When I try to import the certificate I obtained with openssl as above on |
| 64 |
> that tab, it says that the certificate cannot be installed because I "do |
| 65 |
> not own the private key which was created when the certificate was |
| 66 |
> requested" --- whatever that means. |
| 67 |
> |
| 68 |
> > and "Authorities" tags (or whatever |
| 69 |
> > they're called on your version. For the Authorities/RootCA one you'll want |
| 70 |
to |
| 71 |
> > install your CA public cert that *should* allow all certificates that you |
| 72 |
issue |
| 73 |
> > to work. |
| 74 |
> |
| 75 |
> I can import it there and it makes no difference. With the certificate |
| 76 |
> installed under "Authorities", I'm still being asked to add an exception |
| 77 |
> when I try to connect, and the buttons to add an exception are still |
| 78 |
> disabled. |
| 79 |
> |
| 80 |
> > Under "My Certificates" you want the site certificate. |
| 81 |
> |
| 82 |
> I don't understand: What is a site certificate? I don't have any other |
| 83 |
> than I can download with openssl as described above. The usual |
| 84 |
> procedure is to add an exception through the dialog that pops up for |
| 85 |
> that purpose, and that's all there is to it. The problem is that it |
| 86 |
> doesn't let me add an exception. |
| 87 |
> |
| 88 |
> Generally, an organization which provides email services to me is hardly |
| 89 |
> an organization that would manufacture a certificate that describes me |
| 90 |
> specifically in order to provide the service. (I'm trying to connect to |
| 91 |
> the IMAP server via SSL/TLS on port 993.) |
| 92 |
> |
| 93 |
> In this case, I happen to have full physical access to the server and |
| 94 |
> thus to the certificate stored on it. This is not the case for, let's |
| 95 |
> say, an employee checking his work-email from home whom I might give the |
| 96 |
> login-data on the phone and instruct to add an exception when the dialog |
| 97 |
> to do so pops up when they are trying to connect. |
| 98 |
> |
| 99 |
> When I connect to that same IMAP server with "mutt -f |
| 100 |
> imaps://example.com', mutt asks me whether I want to reject the |
| 101 |
> certificate or accept it once or always. So I say once or always and |
| 102 |
> can log in. It's as simple as that, no site certificate or anything but |
| 103 |
> my username and password are needed. |
| 104 |
> |
| 105 |
> What is the problem with seamonkey and its relatives? |
| 106 |
> |
| 107 |
> > As for not being able to add exceptions, are you using the same version |
| 108 |
that |
| 109 |
> > is known to work for Dale? |
| 110 |
> |
| 111 |
> He said he's using 2.33.1-r1. 'eix seamonkey' here shows |
| 112 |
> |
| 113 |
> www-client/seamonkey |
| 114 |
> Installed versions: 2.33.1-r1 |
| 115 |
> |
| 116 |
> so I'm using the same. |
| 117 |
> |
| 118 |
> > I think this was a change that firefox tried to push and then reverted. |
| 119 |
> |
| 120 |
> If it was, it was, to put it nicely, an extremely bad idea. Is there a |
| 121 |
> more recent version of seamonkey that works again? |
| 122 |
> |
| 123 |
> I can (have to) do with seamonkey 2.30 at work and mutt at home. This |
| 124 |
> isn't a long-term solution because it forbids updating the web browser |
| 125 |
> and email clients for everyone at work ever since. |
| 126 |
> |
| 127 |
> Is this a bug of seamonkey? I could make a bug report in that case. |
| 128 |
|
| 129 |
It is the servers tab, sorry. But I just tried and it still requires an |
| 130 |
exception. |
| 131 |
|
| 132 |
Adding the CA certificate and ticking all trust options does work but it seems |
| 133 |
not all self-signed certs have one. If when you run openssl s_client -connect |
| 134 |
host:443 -showcerts it list more than one cert then you want to import the |
| 135 |
last under authorities. |
| 136 |
|
| 137 |
You can try backing up and deleting your profile directory, if it works with a |
| 138 |
new one either go through all the ssl about:config settings and compare them or |
| 139 |
just start over with new settings and import bookmarks, etc. If you both have |
| 140 |
the same version then it must not be a change or bug. |
| 141 |
|
| 142 |
-- |
| 143 |
Fernando Rodriguez |
Archives