1 |
Mick <michaelkintzios@×××××.com> writes: |
2 |
|
3 |
> On Saturday 05 Sep 2015 14:06:27 lee wrote: |
4 |
>> Fernando Rodriguez <frodriguez.developer@×××××××.com> writes: |
5 |
>> > On Saturday, September 05, 2015 1:05:06 AM lee wrote: |
6 |
>> >> In this case, I happen to have full physical access to the server and |
7 |
>> >> thus to the certificate stored on it. This is not the case for, let's |
8 |
>> >> say, an employee checking his work-email from home whom I might give the |
9 |
>> >> login-data on the phone and instruct to add an exception when the dialog |
10 |
>> >> to do so pops up when they are trying to connect. |
11 |
>> > |
12 |
>> > As a workaround you can create your own CA cert. I tested with a windows |
13 |
>> > self- signed cert (I guess the correct term is self-issued) and the |
14 |
>> > openssl command will show two certs. The second is the CA. |
15 |
>> > |
16 |
>> > http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certifica |
17 |
>> > te-authority/ |
18 |
>> |
19 |
>> They're saying: |
20 |
>> |
21 |
>> |
22 |
>> "Whatever you see in the address field in your browser when you go to |
23 |
>> your device must be what you put under common name, even if it’s an IP |
24 |
>> address. [...] If it doesn’t match, even a properly signed certificate |
25 |
>> will not validate correctly and you’ll get the “cannot verify |
26 |
>> authenticity” error." |
27 |
>> |
28 |
>> |
29 |
>> What's the solution for a server which can be reached by different fqdns |
30 |
>> and IPs? What if the fqdns and IPs it can be reached by change over the |
31 |
>> lifetime of the certificates? |
32 |
> |
33 |
> If we are talking about changing subdomains, e.g. mailserver1.mydomain.com and |
34 |
> mailserver2.mydomain.com then you could use a wildcard CN field descriptor in |
35 |
> your certificate: *.mydomain.com |
36 |
|
37 |
just different fqdns and IPs with which the server can be reached during |
38 |
the lifetime of the certificate (which is only 10 years) |
39 |
|
40 |
Can you foresee all possible fqdns and IPs it might have in the next 10 |
41 |
years? |
42 |
|
43 |
I think it would be retarded to bind a certificate to a fqdn or IP. Both |
44 |
can change at any time. It's the certificate that counts and which can |
45 |
be verified by a fingerprint before accepting it. The host name and IP |
46 |
are entirely irrelevant for this. In some cases, you can even say that |
47 |
the certificate is for an organization, not for a particular host or |
48 |
device (operated by or being operated on behalf of the organization). |
49 |
|
50 |
|
51 |
Or think of gpg: Binding a certificate to fqdn/IP would be like binding |
52 |
my gpg public key to the place (like my postal address) I am at so that |
53 |
I can decrypt something only when I happen to be at the right |
54 |
place. Then give me an option to add multiple places to my pubkey when |
55 |
creating it, and as soon as I'm at another place about which I haven't |
56 |
foreseen that I might be there some time, I will have a problem. For |
57 |
all I know, I could be travelling in a car or a train or an air plane. |
58 |
|
59 |
It's impractical. Change is a constant. |
60 |
|
61 |
> If we are talking about a multidomain certificate, then you would have the |
62 |
> main domain name in CN and add all the remaining domain names in the |
63 |
> subjectAltName field. |
64 |
> |
65 |
> For example: |
66 |
> |
67 |
> [req] |
68 |
> req_extensions = v3_req |
69 |
> |
70 |
> [ v3_req ] |
71 |
> |
72 |
> # Extensions to add to a certificate request |
73 |
> [snip...] |
74 |
> |
75 |
> subjectAltName = @alt_names |
76 |
> |
77 |
> [alt_names] |
78 |
> DNS.1 = mydomain.com |
79 |
> DNS.2 = mydomain.net |
80 |
> DNS.3 = www.mydomain.com |
81 |
> DNS.4 = mx.sub.mydomain.com |
82 |
> DNS.5 = mx.someotherdomain.com |
83 |
> IP.1 = 123.456.78.9 |
84 |
> IP.2 = 987.654.32.1 |
85 |
> |
86 |
> You could specify the same on the CLI when you are generating the self signed |
87 |
> certificate. |
88 |
|
89 |
At least that's possible. How would I add that without changing the |
90 |
existing certificate? I don't want to irritate the users, don't want to |
91 |
have the phone calls about it and don't want trouble with the odd client |
92 |
which happens to have been updated and refuses to accept the certificate |
93 |
... |
94 |
|
95 |
See what I mean? It's impractical. |
96 |
|
97 |
>> How do I deploy some sort of central infrastructure all clients on the |
98 |
>> LAN and anywhere on the world will automatically use to do the simple |
99 |
>> thing of adding an exception (or whatever is required for that) so that |
100 |
>> seamonkey and relatives can be used to access email? |
101 |
>> |
102 |
>> That's letting aside that it's ridiculous to deploy such an |
103 |
>> infrastructure when the same thing could be achieved by the user |
104 |
>> clicking a button once to add an exception, as it used to be. |
105 |
> |
106 |
> This I think is primarily a problem of the latest version of SeaMonkey. I |
107 |
> suspect they have inadvertently added a regression bug. |
108 |
> |
109 |
> |
110 |
>> Seriously? The result is currently a version freeze; the alternative is |
111 |
>> using unencrypted connections. After some time, the version freeze |
112 |
>> cannot be kept up. Since there are no alternative MUAs, we can only go |
113 |
>> back to unencrypted connections when that happens. And that's something |
114 |
>> I don't even want to do on the LAN. |
115 |
>> |
116 |
>> |
117 |
>> Well, I've made a bug report about this: |
118 |
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1202128 |
119 |
> |
120 |
> Also have a look at this bug, in case it is related: |
121 |
> |
122 |
> https://bugzilla.mozilla.org/show_bug.cgi?id=1036338 |
123 |
|
124 |
I really can't tell. It seems different in that even certificates that |
125 |
were already used don't work anymore, which isn't the case here. |
126 |
|
127 |
|
128 |
-- |
129 |
Again we must be afraid of speaking of daemons for fear that daemons |
130 |
might swallow us. Finally, this fear has become reasonable. |