1 |
Mick <michaelkintzios@×××××.com> writes: |
2 |
|
3 |
> On Saturday 05 Sep 2015 17:22:24 lee wrote: |
4 |
>> Mick <michaelkintzios@×××××.com> writes: |
5 |
>> > On Saturday 05 Sep 2015 02:08:47 Fernando Rodriguez wrote: |
6 |
>> >> On Saturday, September 05, 2015 1:05:06 AM lee wrote: |
7 |
>> >> > In this case, I happen to have full physical access to the server and |
8 |
>> >> > thus to the certificate stored on it. This is not the case for, let's |
9 |
>> >> > say, an employee checking his work-email from home whom I might give |
10 |
>> >> > the login-data on the phone and instruct to add an exception when the |
11 |
>> >> > dialog to do so pops up when they are trying to connect. |
12 |
>> >> |
13 |
>> >> As a workaround you can create your own CA cert. I tested with a windows |
14 |
>> >> self- signed cert (I guess the correct term is self-issued) and the |
15 |
>> >> openssl command will show two certs. The second is the CA. |
16 |
>> >> |
17 |
>> >> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certific |
18 |
>> >> ate -authority/ |
19 |
>> > |
20 |
>> > lee, on my FF I can import a self-signed certificate when I go to: |
21 |
>> > about:preferences#advanced |
22 |
>> |
23 |
>> You mean to enter this as an URL, just like about:config? When I do |
24 |
>> that, I'm getting "The URL is not valid and cannot be loaded. The |
25 |
>> provided address is not in a recognized format. Please check the |
26 |
>> location bar for mistakes and try again.". |
27 |
>> |
28 |
>> Maybe that only works with firefox? |
29 |
> |
30 |
> Yes, it seems to be the case that SeaMonkey has some GUI differences to |
31 |
> Firefox. I am on Firefox-38.2.1 at present. |
32 |
|
33 |
Does Firefox even have a MUA built in? IIRC it's only the web browser |
34 |
part of seamonkey. |
35 |
|
36 |
>> > and then select the 'Servers' tab. After I import it I can select it and |
37 |
>> > click on the 'Add Exception' button at the bottom of the tab. Enter the |
38 |
>> > http address of the server and FF should go and fetch it afresh when you |
39 |
>> > click on 'Get Certificate', then tick 'Permanently store this exception' |
40 |
>> > and 'Confirm Security Exception'. These buttons will be greyed out if |
41 |
>> > do not download the certificate or if I am running FF in Private |
42 |
>> > Browsing mode. |
43 |
>> |
44 |
>> I'm guessing you might be in the window that shows up when you edit |
45 |
>> preferences and go to 'Privacy & Security --> Certificates --> Manage |
46 |
>> Certificates ...' and then to the "Servers" tab. |
47 |
> |
48 |
> Yes, this is the location I am referring to. However, if it is hanging and |
49 |
> not connecting to the server to fetch the certificate something is not right. |
50 |
> This is the reason with the exception button it greyed out. |
51 |
> |
52 |
> I can't recall if you tried this: |
53 |
> |
54 |
> Can you please remove it from Servers and try adding it to the Authorities |
55 |
> tab? Your version may have additional verification checks for self-signed |
56 |
> certificates, because they essentially acting as their own Root CAs. |
57 |
|
58 |
Yes, I tried that. |
59 |
|
60 |
>> From there, I can import the certificate I downloaded with openssl. |
61 |
>> Once imported, I can click on "Add Exceptions". That gives me the same |
62 |
>> dialog which comes up when I'm trying to connect which doesn't allow me |
63 |
>> to add an exception because the buttons to do so are disabled. The |
64 |
>> dialog remains stuck at "Checking Information" indefinitely. |
65 |
>> |
66 |
>> I'm attaching a screenshot: |
67 |
> |
68 |
> The fact that it is hanging and not obtaining the certificate makes me wonder |
69 |
> if you need to specify a domain name in the CN field of the certificate, |
70 |
> identical to the full URI that the client is trying to connect to. |
71 |
|
72 |
That brings us back to the impractical idea of trying to bind a |
73 |
certificate to a specific fqdn or IP, or to a number of those. |
74 |
|
75 |
Is it possible to create a certificate that doesn't use either but a |
76 |
wildcard only? I don't understand why or how an fqdn/IP in a |
77 |
certificate could or should be relevant at all. |
78 |
|
79 |
When creating the certificate, I have used the fqdn the host does |
80 |
actually have and knows itself by (because I needed to fill in the |
81 |
fields, and it seemed most reasonable to use the actual host name). |
82 |
|
83 |
That this host can be reached at all, via different fqdns and IPs, is a |
84 |
matter of network traffic (re-)direction and of how the DNS-entries |
85 |
currently happen to be. They are all transparent and irrelevant to the |
86 |
user/client and subject to change. Why should they matter for a |
87 |
certificate which is supposed to let me figure out whether I'm |
88 |
connecting to the host I'm expecting to connect to, or to something |
89 |
else? |
90 |
|
91 |
When a friend calls you on the phone, you do not insist that they are |
92 |
not your friend and reject their call just because they're calling you |
93 |
from a different phone number. You do not reject their call and insist |
94 |
that they are not your friend because the call has been (re-)directed |
95 |
over a satellite or goes through an asterisk server. You do not insist |
96 |
that your friend is someone else when they show up at your door wearing |
97 |
different cloths than they usually do. Instead, you figure out that the |
98 |
caller, or the person at your door, is your friend by the human |
99 |
equivalent of a certificate. |
100 |
|
101 |
|
102 |
-- |
103 |
Again we must be afraid of speaking of daemons for fear that daemons |
104 |
might swallow us. Finally, this fear has become reasonable. |