From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 197791384C3 for ; Sat, 5 Sep 2015 13:07:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A9A3495862; Sat, 5 Sep 2015 13:06:35 +0000 (UTC) Received: from acheron.yagibdah.de (acheron.yagibdah.de [185.55.75.245]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 529A09580E for ; Sat, 5 Sep 2015 13:06:33 +0000 (UTC) Received: from br-dmz-ip.yagibdah.de ([192.168.1.1] helo=heimdali.yagibdah.de) by acheron.yagibdah.de with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.85) (envelope-from ) id 1ZYDAt-0004SV-V6 for gentoo-user@lists.gentoo.org; Sat, 05 Sep 2015 15:06:32 +0200 Received: from lee by heimdali.yagibdah.de with local (Exim 4.84) (envelope-from ) id 1ZYDAt-0005qX-Sn for gentoo-user@lists.gentoo.org; Sat, 05 Sep 2015 15:06:31 +0200 From: lee To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] broken seamonkey :( In-Reply-To: (Fernando Rodriguez's message of "Fri, 4 Sep 2015 20:43:43 -0400") Date: Sat, 05 Sep 2015 14:06:33 +0200 Organization: my virtual residence Message-ID: <87a8t1kr3q.fsf@heimdali.yagibdah.de> References: <87oahjmg8s.fsf@heimdali.yagibdah.de> <87k2s5lra5.fsf@heimdali.yagibdah.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) Mail-Followup-To: gentoo-user@lists.gentoo.org Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain X-Archives-Salt: 6769a53a-005b-4b7a-b540-2213ca0ee8c5 X-Archives-Hash: 7d0173f8bcb537bcf749dfcc2a3039cb Fernando Rodriguez writes: > On Saturday, September 05, 2015 1:05:06 AM lee wrote: >> >> >> >> It doesn't work. I've imported the certificate now at home, and no >> >> matter what trust I set or whatever I do, I cannot connect, and I cannot >> >> add an exception. >> >> I can (have to) do with seamonkey 2.30 at work and mutt at home. This >> isn't a long-term solution because it forbids updating the web browser >> and email clients for everyone at work ever since. >> >> Is this a bug of seamonkey? I could make a bug report in that case. > > Adding the CA certificate and ticking all trust options does work but it seems > not all self-signed certs have one. It worked at work and didn't work at home. It's weird. > If when you run openssl s_client -connect > host:443 -showcerts it list more than one cert then you want to import the > last under authorities. As far as I can tell, it shows only one certificate. When I import it, it shows up correctly. > You can try backing up and deleting your profile directory, if it works with a > new one either go through all the ssl about:config settings and compare them or > just start over with new settings and import bookmarks, etc. If you both have > the same version then it must not be a change or bug. It's not that. I've tried it at work with a seamonkey on a windoze 7 VM with a seamonkey that had only been used for web browsing and for which I haven't changed any settings that could be even remotely related to this. The inability to add an exception is consistent over at least 5 totally different machines, Linux and windoze, with at least seamonkey and thunderbird. On at least two of these machines, older versions like seamonkey 2.30, simply let me add an exception while newer versions don't. Update seamonkey on the terminal server, create a new user, try to set up seamonkey so that they can access their email, and you cannot add an exception. You have to revert to 2.30, add the exception, and then you can go back to 2.33.1 and it works because the exception was added. So this must either be a bug of seamonkey and its relatives, or a default setting that has changed with newer versions, or something needs to be done with all(!) self-signed certificates, or adding exceptions has been disabled intentionally, which would require another way to do it because they cannot expect everyone to somehow change their perfectly fine certificates or to buy signed ones. -- Again we must be afraid of speaking of daemons for fear that daemons might swallow us. Finally, this fear has become reasonable.