1 |
On Saturday, September 05, 2015 6:09:36 PM Mick wrote: |
2 |
> On Saturday 05 Sep 2015 14:06:27 lee wrote: |
3 |
> > Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
4 |
> > > On Saturday, September 05, 2015 1:05:06 AM lee wrote: |
5 |
> > >> In this case, I happen to have full physical access to the server and |
6 |
> > >> thus to the certificate stored on it. This is not the case for, let's |
7 |
> > >> say, an employee checking his work-email from home whom I might give |
8 |
the |
9 |
> > >> login-data on the phone and instruct to add an exception when the |
10 |
dialog |
11 |
> > >> to do so pops up when they are trying to connect. |
12 |
> > > |
13 |
> > > As a workaround you can create your own CA cert. I tested with a windows |
14 |
> > > self- signed cert (I guess the correct term is self-issued) and the |
15 |
> > > openssl command will show two certs. The second is the CA. |
16 |
> > > |
17 |
> > > http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certifica |
18 |
> > > te-authority/ |
19 |
> > |
20 |
> > They're saying: |
21 |
> > |
22 |
> > |
23 |
> > "Whatever you see in the address field in your browser when you go to |
24 |
> > your device must be what you put under common name, even if it’s an IP |
25 |
> > address. [...] If it doesn’t match, even a properly signed certificate |
26 |
> > will not validate correctly and you’ll get the “cannot verify |
27 |
> > authenticity” error." |
28 |
> > |
29 |
> > |
30 |
> > What's the solution for a server which can be reached by different fqdns |
31 |
> > and IPs? What if the fqdns and IPs it can be reached by change over the |
32 |
> > lifetime of the certificates? |
33 |
> |
34 |
> If we are talking about changing subdomains, e.g. mailserver1.mydomain.com |
35 |
and |
36 |
> mailserver2.mydomain.com then you could use a wildcard CN field descriptor in |
37 |
> your certificate: *.mydomain.com |
38 |
> |
39 |
> If we are talking about a multidomain certificate, then you would have the |
40 |
> main domain name in CN and add all the remaining domain names in the |
41 |
> subjectAltName field. |
42 |
> |
43 |
> For example: |
44 |
> |
45 |
> [req] |
46 |
> req_extensions = v3_req |
47 |
> |
48 |
> [ v3_req ] |
49 |
> |
50 |
> # Extensions to add to a certificate request |
51 |
> [snip...] |
52 |
> |
53 |
> subjectAltName = @alt_names |
54 |
> |
55 |
> [alt_names] |
56 |
> DNS.1 = mydomain.com |
57 |
> DNS.2 = mydomain.net |
58 |
> DNS.3 = www.mydomain.com |
59 |
> DNS.4 = mx.sub.mydomain.com |
60 |
> DNS.5 = mx.someotherdomain.com |
61 |
> IP.1 = 123.456.78.9 |
62 |
> IP.2 = 987.654.32.1 |
63 |
> |
64 |
> You could specify the same on the CLI when you are generating the self |
65 |
signed |
66 |
> certificate. |
67 |
> |
68 |
> |
69 |
> > How do I deploy some sort of central infrastructure all clients on the |
70 |
> > LAN and anywhere on the world will automatically use to do the simple |
71 |
> > thing of adding an exception (or whatever is required for that) so that |
72 |
> > seamonkey and relatives can be used to access email? |
73 |
> > |
74 |
> > That's letting aside that it's ridiculous to deploy such an |
75 |
> > infrastructure when the same thing could be achieved by the user |
76 |
> > clicking a button once to add an exception, as it used to be. |
77 |
> |
78 |
> This I think is primarily a problem of the latest version of SeaMonkey. I |
79 |
> suspect they have inadvertently added a regression bug. |
80 |
> |
81 |
> |
82 |
> > Seriously? The result is currently a version freeze; the alternative is |
83 |
> > using unencrypted connections. After some time, the version freeze |
84 |
> > cannot be kept up. Since there are no alternative MUAs, we can only go |
85 |
> > back to unencrypted connections when that happens. And that's something |
86 |
> > I don't even want to do on the LAN. |
87 |
> > |
88 |
> > |
89 |
> > Well, I've made a bug report about this: |
90 |
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1202128 |
91 |
> |
92 |
> Also have a look at this bug, in case it is related: |
93 |
> |
94 |
> https://bugzilla.mozilla.org/show_bug.cgi?id=1036338 |
95 |
|
96 |
Wildcards should do it. The browser will give you a warning but you don't |
97 |
care since all you want is encryption and your users already trust you. |
98 |
|
99 |
The only thing that matters about that article is that you'll be signing your |
100 |
certificate with the CA ones so you get two certificates when you run the |
101 |
openssl command, the last one is the CA certificate. If you, or your users add |
102 |
trust to that one, anything you sign with it will be trusted. |
103 |
|
104 |
I only tried it with a windows server issued certificate which does all that by |
105 |
default. |
106 |
|
107 |
Since it lets you open the exception dialog but just hangs when downloading |
108 |
the certificate I wonder if it has something to do with your OCSP settings. |
109 |
Check that they match mine: |
110 |
|
111 |
security.OCSP.GET.enabled false |
112 |
security.OCSP.enabled 1 |
113 |
security.OCSP.require false |
114 |
|
115 |
everything else is true. |
116 |
|
117 |
|
118 |
-- |
119 |
Fernando Rodriguez |