From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DDD161384C3 for ; Sat, 5 Sep 2015 21:41:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AA93614257; Sat, 5 Sep 2015 21:40:56 +0000 (UTC) Received: from BLU004-OMC1S24.hotmail.com (blu004-omc1s24.hotmail.com [65.55.116.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6AE811420D for ; Sat, 5 Sep 2015 21:40:55 +0000 (UTC) Received: from BLU436-SMTP134 ([65.55.116.7]) by BLU004-OMC1S24.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sat, 5 Sep 2015 14:40:54 -0700 X-TMN: [FVX7ilWaEAc272fAwQQ7VTwBXYKr4wYD] X-Originating-Email: [frodriguez.developer@outlook.com] Message-ID: From: Fernando Rodriguez To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] broken seamonkey :( Date: Sat, 5 Sep 2015 17:40:09 -0400 User-Agent: KMail/4.14.8 (Linux/3.18.20; KDE/4.14.8; x86_64; ; ) In-Reply-To: <201509051809.45420.michaelkintzios@gmail.com> References: <87oahjmg8s.fsf@heimdali.yagibdah.de> <87613pkobw.fsf@heimdali.yagibdah.de> <201509051809.45420.michaelkintzios@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-OriginalArrivalTime: 05 Sep 2015 21:40:54.0133 (UTC) FILETIME=[8AA54250:01D0E823] X-Archives-Salt: 3c3ef03b-bdb3-4c4b-a896-465e5e1944c2 X-Archives-Hash: 7a1d0b54551d9fcae3bd6251d53a138d On Saturday, September 05, 2015 6:09:36 PM Mick wrote: > On Saturday 05 Sep 2015 14:06:27 lee wrote: > > Fernando Rodriguez writes: > > > On Saturday, September 05, 2015 1:05:06 AM lee wrote: > > >> In this case, I happen to have full physical access to the serve= r and > > >> thus to the certificate stored on it. This is not the case for,= let's > > >> say, an employee checking his work-email from home whom I might = give=20 the > > >> login-data on the phone and instruct to add an exception when th= e=20 dialog > > >> to do so pops up when they are trying to connect. > > >=20 > > > As a workaround you can create your own CA cert. I tested with a = windows > > > self- signed cert (I guess the correct term is self-issued) and t= he > > > openssl command will show two certs. The second is the CA. > > >=20 > > > http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-c= ertifica > > > te-authority/ > >=20 > > They're saying: > >=20 > >=20 > > "Whatever you see in the address field in your browser when you go = to > > your device must be what you put under common name, even if it=E2=80= =99s an IP > > address. [...] If it doesn=E2=80=99t match, even a properly signe= d certificate > > will not validate correctly and you=E2=80=99ll get the =E2=80=9Ccan= not verify > > authenticity=E2=80=9D error." > >=20 > >=20 > > What's the solution for a server which can be reached by different = fqdns > > and IPs? What if the fqdns and IPs it can be reached by change ove= r the > > lifetime of the certificates? >=20 > If we are talking about changing subdomains, e.g. mailserver1.mydomai= n.com=20 and=20 > mailserver2.mydomain.com then you could use a wildcard CN field descr= iptor in=20 > your certificate: *.mydomain.com >=20 > If we are talking about a multidomain certificate, then you would hav= e the=20 > main domain name in CN and add all the remaining domain names in the=20= > subjectAltName field. >=20 > For example: >=20 > [req] > req_extensions =3D v3_req >=20 > [ v3_req ] >=20 > # Extensions to add to a certificate request > [snip...] >=20 > subjectAltName =3D @alt_names >=20 > [alt_names] > DNS.1 =3D mydomain.com > DNS.2 =3D mydomain.net > DNS.3 =3D www.mydomain.com > DNS.4 =3D mx.sub.mydomain.com > DNS.5 =3D mx.someotherdomain.com > IP.1 =3D 123.456.78.9 > IP.2 =3D 987.654.32.1 >=20 > You could specify the same on the CLI when you are generating the sel= f=20 signed=20 > certificate. >=20 >=20 > > How do I deploy some sort of central infrastructure all clients on = the > > LAN and anywhere on the world will automatically use to do the simp= le > > thing of adding an exception (or whatever is required for that) so = that > > seamonkey and relatives can be used to access email? > >=20 > > That's letting aside that it's ridiculous to deploy such an > > infrastructure when the same thing could be achieved by the user > > clicking a button once to add an exception, as it used to be. >=20 > This I think is primarily a problem of the latest version of SeaMonke= y. I=20 > suspect they have inadvertently added a regression bug. >=20 >=20 > > Seriously? The result is currently a version freeze; the alternati= ve is > > using unencrypted connections. After some time, the version freeze= > > cannot be kept up. Since there are no alternative MUAs, we can onl= y go > > back to unencrypted connections when that happens. And that's some= thing > > I don't even want to do on the LAN. > >=20 > >=20 > > Well, I've made a bug report about this: > > https://bugzilla.mozilla.org/show_bug.cgi?id=3D1202128 >=20 > Also have a look at this bug, in case it is related: >=20 > https://bugzilla.mozilla.org/show_bug.cgi?id=3D1036338 Wildcards should do it. The browser will give you a warning but you do= n't=20 care since all you want is encryption and your users already trust you.= The only thing that matters about that article is that you'll be signin= g your=20 certificate with the CA ones so you get two certificates when you run t= he=20 openssl command, the last one is the CA certificate. If you, or your us= ers add=20 trust to that one, anything you sign with it will be trusted. I only tried it with a windows server issued certificate which does all= that by=20 default. Since it lets you open the exception dialog but just hangs when downloa= ding=20 the certificate I wonder if it has something to do with your OCSP setti= ngs.=20 Check that they match mine: security.OCSP.GET.enabled false security.OCSP.enabled 1 security.OCSP.require false everything else is true. --=20 Fernando Rodriguez