"Secure Connection Failed" problem

Discussion about Seamonkey builds
User avatar
LoRd_MuldeR
Posts: 204
Joined: January 21st, 2007, 2:26 pm

"Secure Connection Failed" problem

Post by LoRd_MuldeR »

I suddenly get this error site when I try to connect to my own server via secure connection:
Image

Before I simply got a warning about the invalid certificate (yes, I don't have one ^^) and I was able to ignore it.
Now it seems to be impossible to access my site via secure connection from SeaMonkey :(
Other browsers (Opera, IE7, ...) show a warning message, but they allow me to connect anyway...

How can I skip the error page or restore the old behavior?
User avatar
LoRd_MuldeR
Posts: 204
Joined: January 21st, 2007, 2:26 pm

Post by LoRd_MuldeR »

hmm, nobody knows an answer?

I have checked the about:config site, but cannot find an option that helps here...
User avatar
raj_bhaskar
Posts: 1946
Joined: November 7th, 2002, 3:50 am
Location: Glasgow, Scotland
Contact:

Post by raj_bhaskar »

Could this be related to bug 327181?
Old kmc
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by Old kmc »

Same behavior found. Mentioned by :
https://bugzilla.mozilla.org/show_bug.cgi?id=398534
User avatar
LoRd_MuldeR
Posts: 204
Joined: January 21st, 2007, 2:26 pm

Post by LoRd_MuldeR »

Well, according to those "bug reports", it's an intended behavior to show an error page instead of a warning now.
That is really bad news, as it makes Firefox/SeaMonkey unusable in some situations!

I'm running a little home server for my personal stuff and of course I cannot afford to buy a "real" certificate.
Still I want to have some security using a "secure" connection and I need to access that with a browser!
Without a valid certificate it won't be 100% secure, right, as it cannot be verified that the server really is the server it pretends to be.
Nevertheless, except the very rare case that somebody has spoofed my server, it is secure!

It think the user should decide which server he wants to trust, not the browser.
I will have to move to Opera browser until this issue is solved ...
User avatar
BenoitRen
Posts: 5946
Joined: April 11th, 2004, 10:20 am
Location: Belgium

Post by BenoitRen »

The support site of my ISP has a dodgy certificate. But I know it's the site I want, so I ignore the warning. So this won't be possible anymore? That sucks.
User avatar
raj_bhaskar
Posts: 1946
Joined: November 7th, 2002, 3:50 am
Location: Glasgow, Scotland
Contact:

Post by raj_bhaskar »

The bug I mentioned indicates that Firefox has a (deeply buried) UI that lets you add certificates to a "whitelist" (see comment 115). Should someone add a bug requesting that this be added to the SM prefs?
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post by therube »

It's there already :-).

Edit | Preferences | Privacy & Security | Certificates |-> Manage Certificates

That in turn updates the cert8.db file in your Profile (I believe).


PS: Thanks for posting that link. Knowing that, I was going to see if that would have fixed this bug (onlineid.bankofamerica.com sending incomplete SSL certificate chain), but it looks like BoA straightened things out on their end before I got a chance to try importing a certificate.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
LoRd_MuldeR
Posts: 204
Joined: January 21st, 2007, 2:26 pm

Post by LoRd_MuldeR »

So what do I need to import?

I use Apachte/SSL via XAMPP with the certificate that came with the XAMPP package.
As far as I know ther certificate stuff is stored at "xampp/apache/conf"
There ate several SSL specific folders in that dir: "ssl.crl", "ssl.crt", "ssl.csr", "ssl.key" and "ssl.prm"
They all contain different files, but none seems to import in SeaMonkey...

Code: Select all

 Directory of D:\xampp\apache\conf

08.10.2007  00:46    <DIR>          .
08.10.2007  00:46    <DIR>          ..
07.10.2007  23:39    <DIR>          extra
09.10.2007  03:35            20.176 httpd.conf
01.12.2005  15:34            13.340 magic
01.12.2005  15:34            15.612 mime.types
07.10.2007  23:39    <DIR>          ssl.crl
07.10.2007  23:39    <DIR>          ssl.crt
10.10.2007  21:10    <DIR>          ssl.csr
07.10.2007  23:39    <DIR>          ssl.key
07.10.2007  23:39    <DIR>          ssl.prm
08.10.2007  00:46    <DIR>          _ssl.bak
               3 File(s)         49.128 bytes

 Directory of D:\xampp\apache\conf\extra

07.10.2007  23:39    <DIR>          .
07.10.2007  23:39    <DIR>          ..
07.10.2007  23:39             2.922 httpd-autoindex.conf
07.10.2007  23:39             1.667 httpd-dav.conf
07.10.2007  23:39             2.419 httpd-default.conf
07.10.2007  23:39             1.140 httpd-info.conf
07.10.2007  23:39             5.180 httpd-languages.conf
07.10.2007  23:39               849 httpd-manual.conf
07.10.2007  23:39             3.919 httpd-mpm.conf
07.10.2007  23:39             2.229 httpd-multilang-errordoc.conf
08.10.2007  00:44            11.267 httpd-ssl.conf
07.10.2007  23:39               944 httpd-userdir.conf
07.10.2007  23:39             1.578 httpd-vhosts.conf
07.10.2007  23:39             2.496 httpd-xampp.conf
              12 File(s)         36.610 bytes

 Directory of D:\xampp\apache\conf\ssl.crl

07.10.2007  23:39    <DIR>          .
07.10.2007  23:39    <DIR>          ..
16.10.2001  08:05             1.569 Makefile
08.07.2005  13:35               331 README.CRL
               2 File(s)          1.900 bytes

 Directory of D:\xampp\apache\conf\ssl.crt

07.10.2007  23:39    <DIR>          .
07.10.2007  23:39    <DIR>          ..
16.10.2001  08:05           242.153 ca-bundle.crt
16.10.2001  08:05             1.522 Makefile
08.07.2005  13:35             1.419 README.CRT
04.12.2005  17:11               765 server.crt
16.10.2001  08:05             1.472 snakeoil-ca-dsa.crt
16.10.2001  08:05             1.192 snakeoil-ca-rsa.crt
16.10.2001  08:05             1.452 snakeoil-dsa.crt
16.10.2001  08:05             1.176 snakeoil-rsa.crt
               8 File(s)        251.151 bytes

 Directory of D:\xampp\apache\conf\ssl.csr

10.10.2007  21:10    <DIR>          .
10.10.2007  21:10    <DIR>          ..
10.10.2007  21:10    <DIR>          New Folder
08.07.2005  13:35               949 README.CSR
16.10.2001  08:05                84 server.csr
               2 File(s)          1.033 bytes

 Directory of D:\xampp\apache\conf\ssl.csr\New Folder

10.10.2007  21:10    <DIR>          .
10.10.2007  21:10    <DIR>          ..
               0 File(s)              0 bytes

 Directory of D:\xampp\apache\conf\ssl.key

07.10.2007  23:39    <DIR>          .
07.10.2007  23:39    <DIR>          ..
08.07.2005  13:35             1.235 README.KEY
04.12.2005  17:11               891 server.key
16.10.2001  08:05               668 snakeoil-ca-dsa.key
16.10.2001  08:05               887 snakeoil-ca-rsa.key
16.10.2001  08:05               668 snakeoil-dsa.key
16.10.2001  08:05               891 snakeoil-rsa.key
               6 File(s)          5.240 bytes

 Directory of D:\xampp\apache\conf\ssl.prm

07.10.2007  23:39    <DIR>          .
07.10.2007  23:39    <DIR>          ..
08.07.2005  13:35               534 README.PRM
16.10.2001  08:05               455 snakeoil-ca-dsa.prm
16.10.2001  08:05               455 snakeoil-dsa.prm
               3 File(s)          1.444 bytes


And ideas ???
User avatar
LoRd_MuldeR
Posts: 204
Joined: January 21st, 2007, 2:26 pm

Post by LoRd_MuldeR »

Here is another site that cannot be accessed any more:
https://forum.doom9.org/
User avatar
Andy Boze
Posts: 2755
Joined: June 30th, 2005, 9:53 pm
Location: South Bend, IN

Post by Andy Boze »

Here's what I did. In the Certificate Manager, open the Servers tab. Click the "Add Exception..." button, then enter the base URL for your server. Click the "Confirm Security Exception" button and the certificate should be added for the site.
But then again, I may be wrong.
User avatar
LoRd_MuldeR
Posts: 204
Joined: January 21st, 2007, 2:26 pm

Post by LoRd_MuldeR »

Andy Boze wrote:Here's what I did. In the Certificate Manager, open the Servers tab. Click the "Add Exception..." button, then enter the base URL for your server. Click the "Confirm Security Exception" button and the certificate should be added for the site.


Ahhh, that did the trick! Thanks a lot :)

This time they really did a good job to hide an essential feature from the end-user ^^
Wouldn't it be be possible to put the "Add Security Exception" button directly on the error page?
johndoe32102002
Posts: 7
Joined: October 21st, 2007, 2:35 am

Post by johndoe32102002 »

No non-technical user, aka 90% of users, would not or could not mess with importing an SSL certificate into their browser's whitelist. I am writing this tantrum here in hopes the developers of SeaMonkey will allow access to invalid certificates.

Example:
URL: https://search.auburn.edu
Error: "Could not establish an encrypted connection because certificate presented by search.auburn.edu has an invalid signature."

Please, please, SeaMonkey developers, for the sake of your product's publicity and reputation, fix this bug.
User avatar
therube
Posts: 21698
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post by therube »

You're right.
I couldn't get that to work at all in SeaMonkey 1.1.5.

Somewhat related issue, Bug 399045 – PSM should remember valid intermediate CA certificates.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
LoRd_MuldeR
Posts: 204
Joined: January 21st, 2007, 2:26 pm

Post by LoRd_MuldeR »

Also I still can't get SeaMonkey to get email's via secure SSL connection from university mail server.
It always throws a "sec_error_unkown_issuer" message, no matter how often I try to import the certificate and add an exception.
Seems like adding an exception for "invalid" certificates doesn't work for the mail client.
Or the mail client doesn't recognize that the imported certificate applies to the mail server too, for some reason.

Now I can only use unencrypted (plain text) connection to fetch my mails from university server...
Post Reply