1 |
On Sunday 06 Sep 2015 15:29:25 lee wrote: |
2 |
> Mick <michaelkintzios@×××××.com> writes: |
3 |
> > On Saturday 05 Sep 2015 17:22:24 lee wrote: |
4 |
|
5 |
> >> Maybe that only works with firefox? |
6 |
> > |
7 |
> > Yes, it seems to be the case that SeaMonkey has some GUI differences to |
8 |
> > Firefox. I am on Firefox-38.2.1 at present. |
9 |
> |
10 |
> Does Firefox even have a MUA built in? IIRC it's only the web browser |
11 |
> part of seamonkey. |
12 |
|
13 |
No, but T'bird uses the same SSL certificate storage as the mozilla browser |
14 |
does. |
15 |
|
16 |
|
17 |
> > I can't recall if you tried this: |
18 |
> > |
19 |
> > Can you please remove it from Servers and try adding it to the |
20 |
> > Authorities tab? Your version may have additional verification checks |
21 |
> > for self-signed certificates, because they essentially acting as their |
22 |
> > own Root CAs. |
23 |
> |
24 |
> Yes, I tried that. |
25 |
|
26 |
Right, I saw your email. From what I can gather this is a bug impairing |
27 |
critical functionality of the Mozilla suite. |
28 |
|
29 |
|
30 |
> > The fact that it is hanging and not obtaining the certificate makes me |
31 |
> > wonder if you need to specify a domain name in the CN field of the |
32 |
> > certificate, identical to the full URI that the client is trying to |
33 |
> > connect to. |
34 |
> |
35 |
> That brings us back to the impractical idea of trying to bind a |
36 |
> certificate to a specific fqdn or IP, or to a number of those. |
37 |
> |
38 |
> Is it possible to create a certificate that doesn't use either but a |
39 |
> wildcard only? I don't understand why or how an fqdn/IP in a |
40 |
> certificate could or should be relevant at all. |
41 |
|
42 |
It is relevant because Mozilla will read the CN and or subjectAltName fields |
43 |
for DNS/IP to match against the URL the client is trying to connect to. It |
44 |
will also read any additional fields for OCSP and CRL URIs and try to connect |
45 |
to those too to retrieve relevant files (e.g. of revocation lists). These |
46 |
would be contained in the certificate's X509v3 extensions. The browser does |
47 |
not extrapolate from what is contained in those fields, but treats their |
48 |
contents literally. If the CN field contains 'example.com' but the client is |
49 |
trying to connect to 'www.example.com' (or the server redirects to the latter) |
50 |
the browser's verification engine could throw its arms up and say STOP! This |
51 |
is not the address specified on the certificate, therefore you could be |
52 |
inadvertently trying to connect to a malicious server impersonating your |
53 |
server. The browser is warning about a Man In The Middle attack. This is |
54 |
fine and as it should be. What is not at all fine is that it stops you |
55 |
connecting AND it does not allow you to acknowledge as acceptable whatever it |
56 |
is that it doesn't like about your certificate. |
57 |
|
58 |
|
59 |
> When creating the certificate, I have used the fqdn the host does |
60 |
> actually have and knows itself by (because I needed to fill in the |
61 |
> fields, and it seemed most reasonable to use the actual host name). |
62 |
> |
63 |
> That this host can be reached at all, via different fqdns and IPs, is a |
64 |
> matter of network traffic (re-)direction and of how the DNS-entries |
65 |
> currently happen to be. They are all transparent and irrelevant to the |
66 |
> user/client and subject to change. Why should they matter for a |
67 |
> certificate which is supposed to let me figure out whether I'm |
68 |
> connecting to the host I'm expecting to connect to, or to something |
69 |
> else? |
70 |
> |
71 |
> When a friend calls you on the phone, you do not insist that they are |
72 |
> not your friend and reject their call just because they're calling you |
73 |
> from a different phone number. You do not reject their call and insist |
74 |
> that they are not your friend because the call has been (re-)directed |
75 |
> over a satellite or goes through an asterisk server. You do not insist |
76 |
> that your friend is someone else when they show up at your door wearing |
77 |
> different cloths than they usually do. Instead, you figure out that the |
78 |
> caller, or the person at your door, is your friend by the human |
79 |
> equivalent of a certificate. |
80 |
|
81 |
|
82 |
Well, in the UK we have a feature called 'Caller ID'. You will be surprised |
83 |
at the number of voice mails I have to leave when I call from a 'caller ID |
84 |
witheld' phone. People will NOT answer unless they recognise the number of |
85 |
the caller. :-) |
86 |
|
87 |
With a server the FQDN is much more important, as it can impersonate e.g. you |
88 |
Bank and steal login information about your login details. |
89 |
|
90 |
-- |
91 |
Regards, |
92 |
Mick |