| 1 |
Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
| 2 |
|
| 3 |
> On Saturday, September 05, 2015 6:09:36 PM Mick wrote: |
| 4 |
>> On Saturday 05 Sep 2015 14:06:27 lee wrote: |
| 5 |
>> > Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
| 6 |
>> > > On Saturday, September 05, 2015 1:05:06 AM lee wrote: |
| 7 |
>> > >> In this case, I happen to have full physical access to the server and |
| 8 |
>> > >> thus to the certificate stored on it. This is not the case for, let's |
| 9 |
>> > >> say, an employee checking his work-email from home whom I might give |
| 10 |
> the |
| 11 |
>> > >> login-data on the phone and instruct to add an exception when the |
| 12 |
> dialog |
| 13 |
>> > >> to do so pops up when they are trying to connect. |
| 14 |
>> > > |
| 15 |
>> > > As a workaround you can create your own CA cert. I tested with a windows |
| 16 |
>> > > self- signed cert (I guess the correct term is self-issued) and the |
| 17 |
>> > > openssl command will show two certs. The second is the CA. |
| 18 |
>> > > |
| 19 |
>> > > http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certifica |
| 20 |
>> > > te-authority/ |
| 21 |
>> > |
| 22 |
>> > They're saying: |
| 23 |
>> > |
| 24 |
>> > |
| 25 |
>> > "Whatever you see in the address field in your browser when you go to |
| 26 |
>> > your device must be what you put under common name, even if it’s an IP |
| 27 |
>> > address. [...] If it doesn’t match, even a properly signed certificate |
| 28 |
>> > will not validate correctly and you’ll get the “cannot verify |
| 29 |
>> > authenticity” error." |
| 30 |
>> > |
| 31 |
>> > |
| 32 |
>> > What's the solution for a server which can be reached by different fqdns |
| 33 |
>> > and IPs? What if the fqdns and IPs it can be reached by change over the |
| 34 |
>> > lifetime of the certificates? |
| 35 |
>> |
| 36 |
> [...] |
| 37 |
> |
| 38 |
> Wildcards should do it. The browser will give you a warning but you don't |
| 39 |
> care since all you want is encryption and your users already trust you. |
| 40 |
|
| 41 |
True --- and the problem will be back again when seamonkey etc. decide |
| 42 |
not to accept certificates with wildcards anymore. |
| 43 |
|
| 44 |
> The only thing that matters about that article is that you'll be signing your |
| 45 |
> certificate with the CA ones so you get two certificates when you run the |
| 46 |
> openssl command, the last one is the CA certificate. If you, or your users add |
| 47 |
> trust to that one, anything you sign with it will be trusted. |
| 48 |
> |
| 49 |
> I only tried it with a windows server issued certificate which does all that by |
| 50 |
> default. |
| 51 |
|
| 52 |
Changing the key would be a last resort. |
| 53 |
|
| 54 |
If I do that, should I use a SHA-3 key? Would that work, or is SHA-3 |
| 55 |
too new? |
| 56 |
|
| 57 |
> Since it lets you open the exception dialog but just hangs when downloading |
| 58 |
> the certificate I wonder if it has something to do with your OCSP settings. |
| 59 |
> Check that they match mine: |
| 60 |
> |
| 61 |
> security.OCSP.GET.enabled false |
| 62 |
> security.OCSP.enabled 1 |
| 63 |
> security.OCSP.require false |
| 64 |
> |
| 65 |
> everything else is true. |
| 66 |
|
| 67 |
I checked, and we have the same settings. It doesn't really hang, it |
| 68 |
does nothing when I try to get the certificate. Does it do something |
| 69 |
when you try? |
| 70 |
|
| 71 |
|
| 72 |
-- |
| 73 |
Again we must be afraid of speaking of daemons for fear that daemons |
| 74 |
might swallow us. Finally, this fear has become reasonable. |
Archives