Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Are you sure everything is ok?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Are you sure everything is ok?
Authored by: etwoy on Feb 25, '02 04:41:58PM
As I'm doing this exact thing, and Mail.app has no problem with it whatsoever... Did you make yourself a Certificate Authority certificate as well? This is necessary for a proper self-signed certificate... Does the name defined in the certificate match the name by which you are contacting the server ? In my experience, it's only Internet Explorer and Entourage/OE that have problems with self-signed certificates on Macs, as they (unlike most browsers) have no facility to directly add a CA to your list of CA's. To get around this, you can either: * From the CLI export your CA certificate in DER format, then put it on a website. * Using IE on a PC, access a website running on the box with your self-signed certificate, and you will be prompted to examine the certificate and asked whether to add it to the list of trusted CA's. In the middle of this process, you can choose to export the certificate for the CA in DER format. Put this on a website. Once you've done one of these (the second way is easier, but requires a web server with SSL running on the box, the former is a bit more difficult to work out the correct syntax) access the website where you have put the DER certificate using Internet Explorer. You will then be prompted whether you wish to trust the new Certificate Authority or not. (For an example, look at one of my certificates). Once you've done this, Entourage/OE will trust your CA and you can run an SSL connection without complaints. As I said at the beginning, Mail.app seems to have no problems with a self-signed certificate in my environment. Other browsers also will prompt you as to whether you wish to add the CA, but IE is kind of braindead and you have to do it in this roundabout manner...

[ Reply to This | # ]
Are you sure everything is ok?
Authored by: etwoy on Feb 25, '02 04:52:07PM

btw, for clicking on that link to one of my certificates, do it with IE. Omniweb doesn't seem to work, but also has no problems connecting to a self-signed certificate SSL site.



[ Reply to This | # ]
Are you sure everything is ok?
Authored by: acdha on Feb 25, '02 05:24:05PM
Did you make yourself a Certificate Authority certificate as well? This is necessary for a proper self-signed certificate...
Yes - the CA key is what I added to my store, as we use it to sign keys for a bunch of internal stuff we don't feel like paying Verisign to use.
Does the name defined in the certificate match the name by which you are contacting the server ?
Yes - I issued those servers certificates which match the CNAME they're accessed by. And yes, IE/OE are a pain in the ass to add the certificate to. (Even worse than Eudora, which just quietly gives up) When I get some spare time, I want to find where IE hides its certificates and write a little installer to add our certificates there.

[ Reply to This | # ]
Are you sure everything is ok?
Authored by: etwoy on Feb 26, '02 02:48:55AM

Well I dunno what's going wrong with Mail.app in your case then, I've just got a stock standard 10.1.3 install on my laptop (hosed it by installing too much stuff from Darwin CVS... :( and from watching my logs, the SSL connection gets negotiated just fine...

My config is UW-imapd running under an stunnel on a 10.1.2 box btw. Most of my staff use Entourage, and it works better with an stunnel than it does with the native SSL support compiled into imapd. still haven't worked out why this is the case...




[ Reply to This | # ]
Are you sure everything is ok?
Authored by: etwoy on Feb 26, '02 03:09:18AM

Well I dunno what's going wrong with Mail.app in your case then, I've just got a stock standard 10.1.3 install on my laptop (hosed it by installing too much stuff from Darwin CVS... :( and from watching my logs, the SSL connection gets negotiated just fine...

My config is UW-imapd running under an stunnel on a 10.1.2 box btw. Most of my staff use Entourage, and it works better with an stunnel than it does with the native SSL support compiled into imapd. still haven't worked out why this is the case...




[ Reply to This | # ]