Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Prevent SSL warnings for certain CA certificates Apps
If you have been using Mail to check mail through SSL on a server where the certificate was signed by a non-standard Certificate Authority (CA) like CACert, you've probably seen the warnings about the non-standard CA. In the pre-Leopard days, you used to be able to bypass the warning by simply saying OK and connecting through the warning. Well, in 10.5 that is no longer good enough. Now you will get the warning every time you connect.

The way to handle this is to first (this assumes you have been successfully checking mail on this account before), if you have not already done so, import the root cert from the CA. (You likely have already done this, since I believe in the upgrade from 10.3 to 10.4, you were required to do this.)

Second, you need to open up Keychain Access and search for the root cert that you imported; in my case it was CACert. Keychain will show a root cert in both the "x509Anchors" and the "login" keychains. Select the one in the "x509Anchors" keychain and double-click it. It should say along the top that the root cert is not trusted.

On the left-hand side, expand the Trust section by clicking the symbol next to the word Trust. Here you will be presented with a series of dropdowns, most of which should have "Use System Default" or "no value specified" preselected. You need to change the SSL entry to "always trust."

Exit Mail and Keychain Access, go back into Mail, and you should not be prompted again. Do not trust any other role (unless you know what you are doing) that certificate can authorize, because most third-party certificates do not verify identities. In other words, you can be satisfied that the identity (ie; the server) is the same one you connected to yesterday, but you can not ensure that identity (ie; server) is who they have always said they were.

[robg adds: I haven't tested this one.]
    •    
  • Currently 3.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[10,424 views]  

10.5: Prevent SSL warnings for certain CA certificates | 8 comments | Create New Account
Click here to return to the '10.5: Prevent SSL warnings for certain CA certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Prevent SSL warnings for certain CA certificates
Authored by: eyemovie on Nov 05, '07 08:34:44AM

Actually, perhaps even easier ... when you get the warning ... click on the left button that says "Show Certificate" ... and then click the checkbox for "Trust" this cert in future. That takes care of it for me. You might get the warning a couple of times (at least for me) for the different servers (is it for both sending and receiving?) and you might get it if your ISP uses a shared certificate and the message will say something like do you want to accept this cert/server in whenever you connect to mydomain.com ... click the appropriate approvals if you are sure you can trust them ... and then you won't be bothered again! No messing with the keychain if you don't want to ... or dragging the cert to your desktop and importing, etc. Finally! Very nice!!! ; )



[ Reply to This | # ]
An easier way?
Authored by: ptwithy on Nov 05, '07 08:35:42AM

When I hit this problem, in the error dialogue that Mail pops up, there is a "Show Certificate" button. Clicking on that gives you the details of the certificate, but also a little checkbox that says 'Always trust <this certificate> when fetching mail from <the mail host>. I suspect this does something similar to the hint, but in a more user-friendly way.

My only problem is that it doesn't solve my problem. I think the certificate that is sent is perfectly trustworthy, but it is my hosting company's generic certificate for *.company.com and that does not match mail.mydomain.com.

Once I click through the warning, mail seems to be happy not to warn me again until I quit mail, but I was hoping that checking the little checkbox would make it so mail would not warn me the next time I started mail. Unfortunately, that does not seem to be the case...



[ Reply to This | # ]
An easier way?
Authored by: eyemovie on Nov 05, '07 08:52:50AM

If this persists ... you might just change your mail servers to the shared cert/server from your ISP ... then it should be solved. However, I do seem to recall a window that came up and asking if I wanted to trust myisp.com server for mydomain.com server. I remember seeing it some time, but didn't copy it or print the window.



[ Reply to This | # ]
An easier way?
Authored by: frickster on Nov 05, '07 03:29:47PM

I'm having the same problem with Dreamhost. I have multiple accounts with Dreamhost, and therefore multiple domains hosted there. I was able to get one account (my personal email) to accept the certificate, but since the other account uses the same certificate (both use *mail.dreamhost.com), Mail complains. I am able to force Mail to accept one, the other, but NOT both. If I get my personal account to work, then my business account complains; if I get my business account to work, then my personal account complains. It's really quite frustrating, because I can't seem to find a way to have two copies of the certificate -- one for each account -- and use them both.

I've tried putting the mail server in as mail.dreamhost.com, but they won't allow that to work. It fails. I'm not sure what to do, but it's REALLY annoying.

---
-frick



[ Reply to This | # ]
An easier way?
Authored by: bcometa on Aug 26, '08 01:18:17PM
I've been having this problem since installing leopard now and I finally found a solution. The problem is the certificate's server name doesn't match the server address in mail. OS X 10.5 will (intentionally) never save a certificate when these two things don't match. More info is on my blog where i wrote a little guide to fixing this problem or go to corewerkz.com and search for "verify certificate."

[ Reply to This | # ]
10.5: Prevent SSL warnings for certain CA certificates
Authored by: clermont on Nov 08, '07 11:24:26AM

Doesn't work in my case.

It managed to force the changes made to certs' status in Mail > Preferences > Accounts to stick, but this is illusory as witnessed by Connection Doctor reporting that certs are not valid.

There seems to be some sort of disconnect (heh) between Keychain Access, Mail Preferences and Connection Doctor wherein the latter is not accepting Recognizing?) user-defined status of shared SSL certs.



[ Reply to This | # ]
10.5: Prevent SSL warnings for certain CA certificates
Authored by: afragen on Nov 21, '07 10:36:35AM

This is exactly what I see. I must be a bug. Has anyone filed a bug report with Apple? I'm not a developer and don't know how to do it.



[ Reply to This | # ]
10.5: Prevent SSL warnings for certain CA certificates
Authored by: bcometa on Aug 26, '08 01:20:37PM
When "Always Trust" doesn't stick, you've got another problem on your hands: the certificate's server name doesn't match the server address in mail. OS X 10.5 will (intentionally) never save a certificate when these two things don't match. More info is on my blog where i wrote a little guide to fixing this problem (click my name above for direct link to article) or go to corewerkz.com and search for "verify certificate."

[ Reply to This | # ]