62657 – mozilla mail can't connect via TLS when using custom CAs

Bug 62657 - mozilla mail can't connect via TLS when using custom CAs

Summary: mozilla mail can't connect via TLS when using custom CAs

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	mozilla
Sub Component:
Version:	7.3
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Christopher Aillon
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-04-03 21:28 UTC by Chris Ricker
Modified:	2007-04-18 16:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-04-25 07:43:39 UTC
Embargoed:

Attachments	(Terms of Use)

Description Chris Ricker 2002-04-03 21:28:48 UTC

I'm using a mailserver which is requiring TLS from connecting clients.  For each
client, I generate a self-signed cert using my own CA, store that server-side,
then import a pkcs12 version of it into the client.

With Netscape 4.7x mail, this worked.  When connecting to the server for the
first time, it would warn me that it did not recognize the CA which had signed
the certs.  It would then present me the CA cert from the mail server, and give
me the standard options:  accept for this session, accept until expired, etc.  I
could then select accept until expired, and from that point on everything would
just work....

With mozilla in beta3 (only version I've tried so far), this is not possible. 
When connecting to the server for the first time, mozilla drops the connection
because the CA used by the server is not on its list of commercially accepted
CAs.  Furthermore, it offers no ability AFAICT to import the CA, which seems odd
since the web client does have the ability to import CAs.

Comment 1 Chris Ricker 2002-05-10 17:38:17 UTC

Still true w/ RH 7.3 gold

Comment 2 Christopher Blizzard 2002-08-29 22:05:49 UTC

Is this still an issue?

Comment 3 Chris Ricker 2002-09-25 22:49:22 UTC

Here's what I see now with RHL 8.  I set up two RHL 8 boxes, and configured
Sendmail on both machines to do starttls.  I tested that out thoroughly to make
sure everything was working, and it looked good -- certs were being used for
authentication, 168-bit encryption was being used, etc.

I then converted one machine to a client -- stopped sendmail, and instead
configured mozilla on it to connect to the remote smtp server.  I made sure that
worked without TLS first, and it did.

On the client machine, I then imported a PKCS12 version of the client's cert
into mozilla mail and configured it to use SSL when available.  When I tried to
connect to the server, it errored out because it couldn't decode the server
certificate.

This is the first bug -- it can't decode the cert b/c it doesn't recognize the
CA with which its signed.  For web, and for SSL-tunneled POP / IMAP, mozilla
would at this point prompt the client to accept the CA....

I worked around this by putting up a web server which had a CGI to export the CA
cert to the client.  Now the client has the CA added, but it still errors out
(client reports that "certificate presented by server is invalid or corrupted.
-8192")

Comment 4 Warren Togami 2005-04-25 07:43:39 UTC

I've done this with recent mozilla and thunderbird so I think this is solved.

Note You need to log in before you can comment on or make changes to this bug.