Bug 62657

Summary: mozilla mail can't connect via TLS when using custom CAs
Product: [Retired] Red Hat Linux Reporter: Chris Ricker <chris.ricker>
Component: mozillaAssignee: Christopher Aillon <caillon>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: 7.3CC: wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-25 07:43:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Ricker 2002-04-03 21:28:48 UTC 
I'm using a mailserver which is requiring TLS from connecting clients.  For each
client, I generate a self-signed cert using my own CA, store that server-side,
then import a pkcs12 version of it into the client.

With Netscape 4.7x mail, this worked.  When connecting to the server for the
first time, it would warn me that it did not recognize the CA which had signed
the certs.  It would then present me the CA cert from the mail server, and give
me the standard options:  accept for this session, accept until expired, etc.  I
could then select accept until expired, and from that point on everything would
just work....

With mozilla in beta3 (only version I've tried so far), this is not possible. 
When connecting to the server for the first time, mozilla drops the connection
because the CA used by the server is not on its list of commercially accepted
CAs.  Furthermore, it offers no ability AFAICT to import the CA, which seems odd
since the web client does have the ability to import CAs.
Comment 1 Chris Ricker 2002-05-10 17:38:17 UTC 
Still true w/ RH 7.3 gold
Comment 2 Christopher Blizzard 2002-08-29 22:05:49 UTC 
Is this still an issue?
Comment 3 Chris Ricker 2002-09-25 22:49:22 UTC 
Here's what I see now with RHL 8.  I set up two RHL 8 boxes, and configured
Sendmail on both machines to do starttls.  I tested that out thoroughly to make
sure everything was working, and it looked good -- certs were being used for
authentication, 168-bit encryption was being used, etc.

I then converted one machine to a client -- stopped sendmail, and instead
configured mozilla on it to connect to the remote smtp server.  I made sure that
worked without TLS first, and it did.

On the client machine, I then imported a PKCS12 version of the client's cert
into mozilla mail and configured it to use SSL when available.  When I tried to
connect to the server, it errored out because it couldn't decode the server
certificate.

This is the first bug -- it can't decode the cert b/c it doesn't recognize the
CA with which its signed.  For web, and for SSL-tunneled POP / IMAP, mozilla
would at this point prompt the client to accept the CA....

I worked around this by putting up a web server which had a CGI to export the CA
cert to the client.  Now the client has the CA added, but it still errors out
(client reports that "certificate presented by server is invalid or corrupted.
-8192")
Comment 4 Warren Togami 2005-04-25 07:43:39 UTC 
I've done this with recent mozilla and thunderbird so I think this is solved.