| 1 |
On Sunday 06 Sep 2015 15:29:25 lee wrote: |
| 2 |
> Mick <michaelkintzios@×××××.com> writes: |
| 3 |
> > On Saturday 05 Sep 2015 17:22:24 lee wrote: |
| 4 |
|
| 5 |
> >> Maybe that only works with firefox? |
| 6 |
> > |
| 7 |
> > Yes, it seems to be the case that SeaMonkey has some GUI differences to |
| 8 |
> > Firefox. I am on Firefox-38.2.1 at present. |
| 9 |
> |
| 10 |
> Does Firefox even have a MUA built in? IIRC it's only the web browser |
| 11 |
> part of seamonkey. |
| 12 |
|
| 13 |
No, but T'bird uses the same SSL certificate storage as the mozilla browser |
| 14 |
does. |
| 15 |
|
| 16 |
|
| 17 |
> > I can't recall if you tried this: |
| 18 |
> > |
| 19 |
> > Can you please remove it from Servers and try adding it to the |
| 20 |
> > Authorities tab? Your version may have additional verification checks |
| 21 |
> > for self-signed certificates, because they essentially acting as their |
| 22 |
> > own Root CAs. |
| 23 |
> |
| 24 |
> Yes, I tried that. |
| 25 |
|
| 26 |
Right, I saw your email. From what I can gather this is a bug impairing |
| 27 |
critical functionality of the Mozilla suite. |
| 28 |
|
| 29 |
|
| 30 |
> > The fact that it is hanging and not obtaining the certificate makes me |
| 31 |
> > wonder if you need to specify a domain name in the CN field of the |
| 32 |
> > certificate, identical to the full URI that the client is trying to |
| 33 |
> > connect to. |
| 34 |
> |
| 35 |
> That brings us back to the impractical idea of trying to bind a |
| 36 |
> certificate to a specific fqdn or IP, or to a number of those. |
| 37 |
> |
| 38 |
> Is it possible to create a certificate that doesn't use either but a |
| 39 |
> wildcard only? I don't understand why or how an fqdn/IP in a |
| 40 |
> certificate could or should be relevant at all. |
| 41 |
|
| 42 |
It is relevant because Mozilla will read the CN and or subjectAltName fields |
| 43 |
for DNS/IP to match against the URL the client is trying to connect to. It |
| 44 |
will also read any additional fields for OCSP and CRL URIs and try to connect |
| 45 |
to those too to retrieve relevant files (e.g. of revocation lists). These |
| 46 |
would be contained in the certificate's X509v3 extensions. The browser does |
| 47 |
not extrapolate from what is contained in those fields, but treats their |
| 48 |
contents literally. If the CN field contains 'example.com' but the client is |
| 49 |
trying to connect to 'www.example.com' (or the server redirects to the latter) |
| 50 |
the browser's verification engine could throw its arms up and say STOP! This |
| 51 |
is not the address specified on the certificate, therefore you could be |
| 52 |
inadvertently trying to connect to a malicious server impersonating your |
| 53 |
server. The browser is warning about a Man In The Middle attack. This is |
| 54 |
fine and as it should be. What is not at all fine is that it stops you |
| 55 |
connecting AND it does not allow you to acknowledge as acceptable whatever it |
| 56 |
is that it doesn't like about your certificate. |
| 57 |
|
| 58 |
|
| 59 |
> When creating the certificate, I have used the fqdn the host does |
| 60 |
> actually have and knows itself by (because I needed to fill in the |
| 61 |
> fields, and it seemed most reasonable to use the actual host name). |
| 62 |
> |
| 63 |
> That this host can be reached at all, via different fqdns and IPs, is a |
| 64 |
> matter of network traffic (re-)direction and of how the DNS-entries |
| 65 |
> currently happen to be. They are all transparent and irrelevant to the |
| 66 |
> user/client and subject to change. Why should they matter for a |
| 67 |
> certificate which is supposed to let me figure out whether I'm |
| 68 |
> connecting to the host I'm expecting to connect to, or to something |
| 69 |
> else? |
| 70 |
> |
| 71 |
> When a friend calls you on the phone, you do not insist that they are |
| 72 |
> not your friend and reject their call just because they're calling you |
| 73 |
> from a different phone number. You do not reject their call and insist |
| 74 |
> that they are not your friend because the call has been (re-)directed |
| 75 |
> over a satellite or goes through an asterisk server. You do not insist |
| 76 |
> that your friend is someone else when they show up at your door wearing |
| 77 |
> different cloths than they usually do. Instead, you figure out that the |
| 78 |
> caller, or the person at your door, is your friend by the human |
| 79 |
> equivalent of a certificate. |
| 80 |
|
| 81 |
|
| 82 |
Well, in the UK we have a feature called 'Caller ID'. You will be surprised |
| 83 |
at the number of voice mails I have to leave when I call from a 'caller ID |
| 84 |
witheld' phone. People will NOT answer unless they recognise the number of |
| 85 |
the caller. :-) |
| 86 |
|
| 87 |
With a server the FQDN is much more important, as it can impersonate e.g. you |
| 88 |
Bank and steal login information about your login details. |
| 89 |
|
| 90 |
-- |
| 91 |
Regards, |
| 92 |
Mick |
Archives