Red Hat Bugzilla – Bug 62657
mozilla mail can't connect via TLS when using custom CAs
Last modified: 2007-04-18 12:41:39 EDT
I'm using a mailserver which is requiring TLS from connecting clients. For each
client, I generate a self-signed cert using my own CA, store that server-side,
then import a pkcs12 version of it into the client.
With Netscape 4.7x mail, this worked. When connecting to the server for the
first time, it would warn me that it did not recognize the CA which had signed
the certs. It would then present me the CA cert from the mail server, and give
me the standard options: accept for this session, accept until expired, etc. I
could then select accept until expired, and from that point on everything would
With mozilla in beta3 (only version I've tried so far), this is not possible.
When connecting to the server for the first time, mozilla drops the connection
because the CA used by the server is not on its list of commercially accepted
CAs. Furthermore, it offers no ability AFAICT to import the CA, which seems odd
since the web client does have the ability to import CAs.
Still true w/ RH 7.3 gold
Is this still an issue?
Here's what I see now with RHL 8. I set up two RHL 8 boxes, and configured
Sendmail on both machines to do starttls. I tested that out thoroughly to make
sure everything was working, and it looked good -- certs were being used for
authentication, 168-bit encryption was being used, etc.
I then converted one machine to a client -- stopped sendmail, and instead
configured mozilla on it to connect to the remote smtp server. I made sure that
worked without TLS first, and it did.
On the client machine, I then imported a PKCS12 version of the client's cert
into mozilla mail and configured it to use SSL when available. When I tried to
connect to the server, it errored out because it couldn't decode the server
This is the first bug -- it can't decode the cert b/c it doesn't recognize the
CA with which its signed. For web, and for SSL-tunneled POP / IMAP, mozilla
would at this point prompt the client to accept the CA....
I worked around this by putting up a web server which had a CGI to export the CA
cert to the client. Now the client has the CA added, but it still errors out
(client reports that "certificate presented by server is invalid or corrupted.
I've done this with recent mozilla and thunderbird so I think this is solved.