| 1 |
On Sunday, September 06, 2015 4:29:25 PM lee wrote: |
| 2 |
> Mick <michaelkintzios@×××××.com> writes: |
| 3 |
> |
| 4 |
> > On Saturday 05 Sep 2015 17:22:24 lee wrote: |
| 5 |
> >> Mick <michaelkintzios@×××××.com> writes: |
| 6 |
> >> > On Saturday 05 Sep 2015 02:08:47 Fernando Rodriguez wrote: |
| 7 |
> >> >> On Saturday, September 05, 2015 1:05:06 AM lee wrote: |
| 8 |
> >> >> > In this case, I happen to have full physical access to the server |
| 9 |
and |
| 10 |
> >> >> > thus to the certificate stored on it. This is not the case for, |
| 11 |
let's |
| 12 |
> >> >> > say, an employee checking his work-email from home whom I might give |
| 13 |
> >> >> > the login-data on the phone and instruct to add an exception when |
| 14 |
the |
| 15 |
> >> >> > dialog to do so pops up when they are trying to connect. |
| 16 |
> >> >> |
| 17 |
> >> >> As a workaround you can create your own CA cert. I tested with a |
| 18 |
windows |
| 19 |
> >> >> self- signed cert (I guess the correct term is self-issued) and the |
| 20 |
> >> >> openssl command will show two certs. The second is the CA. |
| 21 |
> >> >> |
| 22 |
> >> >> http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certific |
| 23 |
> >> >> ate -authority/ |
| 24 |
> >> > |
| 25 |
> >> > lee, on my FF I can import a self-signed certificate when I go to: |
| 26 |
> >> > about:preferences#advanced |
| 27 |
> >> |
| 28 |
> >> You mean to enter this as an URL, just like about:config? When I do |
| 29 |
> >> that, I'm getting "The URL is not valid and cannot be loaded. The |
| 30 |
> >> provided address is not in a recognized format. Please check the |
| 31 |
> >> location bar for mistakes and try again.". |
| 32 |
> >> |
| 33 |
> >> Maybe that only works with firefox? |
| 34 |
> > |
| 35 |
> > Yes, it seems to be the case that SeaMonkey has some GUI differences to |
| 36 |
> > Firefox. I am on Firefox-38.2.1 at present. |
| 37 |
> |
| 38 |
> Does Firefox even have a MUA built in? IIRC it's only the web browser |
| 39 |
> part of seamonkey. |
| 40 |
> |
| 41 |
> >> > and then select the 'Servers' tab. After I import it I can select it |
| 42 |
and |
| 43 |
> >> > click on the 'Add Exception' button at the bottom of the tab. Enter |
| 44 |
the |
| 45 |
> >> > http address of the server and FF should go and fetch it afresh when |
| 46 |
you |
| 47 |
> >> > click on 'Get Certificate', then tick 'Permanently store this exception' |
| 48 |
> >> > and 'Confirm Security Exception'. These buttons will be greyed out if |
| 49 |
> >> > do not download the certificate or if I am running FF in Private |
| 50 |
> >> > Browsing mode. |
| 51 |
> >> |
| 52 |
> >> I'm guessing you might be in the window that shows up when you edit |
| 53 |
> >> preferences and go to 'Privacy & Security --> Certificates --> Manage |
| 54 |
> >> Certificates ...' and then to the "Servers" tab. |
| 55 |
> > |
| 56 |
> > Yes, this is the location I am referring to. However, if it is hanging |
| 57 |
and |
| 58 |
> > not connecting to the server to fetch the certificate something is not |
| 59 |
right. |
| 60 |
> > This is the reason with the exception button it greyed out. |
| 61 |
> > |
| 62 |
> > I can't recall if you tried this: |
| 63 |
> > |
| 64 |
> > Can you please remove it from Servers and try adding it to the Authorities |
| 65 |
> > tab? Your version may have additional verification checks for self-signed |
| 66 |
> > certificates, because they essentially acting as their own Root CAs. |
| 67 |
> |
| 68 |
> Yes, I tried that. |
| 69 |
> |
| 70 |
> >> From there, I can import the certificate I downloaded with openssl. |
| 71 |
> >> Once imported, I can click on "Add Exceptions". That gives me the same |
| 72 |
> >> dialog which comes up when I'm trying to connect which doesn't allow me |
| 73 |
> >> to add an exception because the buttons to do so are disabled. The |
| 74 |
> >> dialog remains stuck at "Checking Information" indefinitely. |
| 75 |
> >> |
| 76 |
> >> I'm attaching a screenshot: |
| 77 |
> > |
| 78 |
> > The fact that it is hanging and not obtaining the certificate makes me |
| 79 |
wonder |
| 80 |
> > if you need to specify a domain name in the CN field of the certificate, |
| 81 |
> > identical to the full URI that the client is trying to connect to. |
| 82 |
> |
| 83 |
> That brings us back to the impractical idea of trying to bind a |
| 84 |
> certificate to a specific fqdn or IP, or to a number of those. |
| 85 |
> |
| 86 |
> Is it possible to create a certificate that doesn't use either but a |
| 87 |
> wildcard only? I don't understand why or how an fqdn/IP in a |
| 88 |
> certificate could or should be relevant at all. |
| 89 |
> |
| 90 |
> When creating the certificate, I have used the fqdn the host does |
| 91 |
> actually have and knows itself by (because I needed to fill in the |
| 92 |
> fields, and it seemed most reasonable to use the actual host name). |
| 93 |
> |
| 94 |
> That this host can be reached at all, via different fqdns and IPs, is a |
| 95 |
> matter of network traffic (re-)direction and of how the DNS-entries |
| 96 |
> currently happen to be. They are all transparent and irrelevant to the |
| 97 |
> user/client and subject to change. Why should they matter for a |
| 98 |
> certificate which is supposed to let me figure out whether I'm |
| 99 |
> connecting to the host I'm expecting to connect to, or to something |
| 100 |
> else? |
| 101 |
> |
| 102 |
> When a friend calls you on the phone, you do not insist that they are |
| 103 |
> not your friend and reject their call just because they're calling you |
| 104 |
> from a different phone number. You do not reject their call and insist |
| 105 |
> that they are not your friend because the call has been (re-)directed |
| 106 |
> over a satellite or goes through an asterisk server. You do not insist |
| 107 |
> that your friend is someone else when they show up at your door wearing |
| 108 |
> different cloths than they usually do. Instead, you figure out that the |
| 109 |
> caller, or the person at your door, is your friend by the human |
| 110 |
> equivalent of a certificate. |
| 111 |
|
| 112 |
An SSL certificate provides both encryption and authentication. For the |
| 113 |
encryption part it's simple, you own the private key, the certificate has the |
| 114 |
public key, so only you can decrypt whatever is encrypted with it. |
| 115 |
|
| 116 |
Authentication is more complicated. It's easy if you think of if like a driver |
| 117 |
license. The hostname is like the photo, if I get pulled over and hand over a |
| 118 |
stolen license to the officer he'll know it's not me by looking at the photo. |
| 119 |
Your browser does the same with the hostname, if somebody steals your private |
| 120 |
key they will also have to steal your domain name to impersonate you. If |
| 121 |
somebody grabs a hold of your CA's private key is like stealing the DMV |
| 122 |
printer, now they can issue themselves a license with your name and their own |
| 123 |
picture. But if they hand it over to an officer he will call it in and find out |
| 124 |
it's fake, that's the equivalent of revocation lists and ocsp. |
| 125 |
|
| 126 |
Of course it only works because we trust the DMV (or the CA in this case) to |
| 127 |
be diligent in verifying you are who you say you are before issuing a license |
| 128 |
or certificate. So it all doesn't apply as much to self issued certificates but |
| 129 |
it still applies to some extent. |
| 130 |
|
| 131 |
-- |
| 132 |
Fernando Rodriguez |
Archives