I'm using a mailserver which is requiring TLS from connecting clients. For each client, I generate a self-signed cert using my own CA, store that server-side, then import a pkcs12 version of it into the client. With Netscape 4.7x mail, this worked. When connecting to the server for the first time, it would warn me that it did not recognize the CA which had signed the certs. It would then present me the CA cert from the mail server, and give me the standard options: accept for this session, accept until expired, etc. I could then select accept until expired, and from that point on everything would just work.... With mozilla in beta3 (only version I've tried so far), this is not possible. When connecting to the server for the first time, mozilla drops the connection because the CA used by the server is not on its list of commercially accepted CAs. Furthermore, it offers no ability AFAICT to import the CA, which seems odd since the web client does have the ability to import CAs.
Still true w/ RH 7.3 gold
Is this still an issue?
Here's what I see now with RHL 8. I set up two RHL 8 boxes, and configured Sendmail on both machines to do starttls. I tested that out thoroughly to make sure everything was working, and it looked good -- certs were being used for authentication, 168-bit encryption was being used, etc. I then converted one machine to a client -- stopped sendmail, and instead configured mozilla on it to connect to the remote smtp server. I made sure that worked without TLS first, and it did. On the client machine, I then imported a PKCS12 version of the client's cert into mozilla mail and configured it to use SSL when available. When I tried to connect to the server, it errored out because it couldn't decode the server certificate. This is the first bug -- it can't decode the cert b/c it doesn't recognize the CA with which its signed. For web, and for SSL-tunneled POP / IMAP, mozilla would at this point prompt the client to accept the CA.... I worked around this by putting up a web server which had a CGI to export the CA cert to the client. Now the client has the CA added, but it still errors out (client reports that "certificate presented by server is invalid or corrupted. -8192")
I've done this with recent mozilla and thunderbird so I think this is solved.