Nelson B. Bolyard wrote:

> Ingo Kappler wrote:
>> 
>> For secure mail connections I use a selfsigned certificate on the server,
> 
> You mentioned imaps and pop3s in the subject.  Did you mean imaps and
> smtps? AFAIK, mozilla doesn't do pop3 over SSL, but does do imaps and
> smtps.

Sorry, I don't know if I know everything right. But when I spoke from pop3s 
and imaps I ment the entrances in /etc/inetd.conf. 

ie: 
# pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/ipop3d
pop3s stream tcp nowait root /usr/sbin/ipop3d /usr/sbin/ipop3d
#
# stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd
imaps stream tcp nowait root /usr/sbin/imapd /usr/sbin/imapd

Maybe pop3s uses smtps? 

>> created with openssl. It works for my needs with netscape 6.2 and kmail
>> and other programs, except mozilla 1.0 and netscape 7.
>> 
>> I get an error message saying it couldn`t establish a secure connection
>> for the cert might be destroyed or not usable with error-code -8182.
> 
> Hmmm.  bugzilla bug http://bugzilla.mozilla.org/show_bug.cgi?id=153232
> reports a similar complaint, except that in that bug, the submittor was
> using the cert for https, not for IMAPS, and the submittor did not claim
> that his cert worked with earlier versions of mozilla.  I was unable to
> connect to that user's https server with Communicator 4.x or with IE 5.5.
> When I examined that user's cert with NSS 3.4.1, I found that the cert's
> signature did not verify properly.  That is the meaning of error -8182,
> the cert's signature was invalid.
> 
> But your case is different because you claim it worked with earlier
> versions of mozilla.
> 
>> What has changed?
> 
> The version of NSS used by PSM in mozilla has changed, for one thing.
> There have also been numerous other changes in PSM.  PSM's error handling
> UI for SSL has changed.
> 
> One conceivable explanation (and pure conjecture) might be that earlier
> versions of PSM in mozilla did not verify the signature of the server
> cert for IMAPS or SMTPS, or ignored the signature verification error.
> 
> Perhaps earlier versions of PSM let you mark the cert as trusted,
> even though the signature was invalid, and current versions
> 
> Another conjecture is that perhaps a change in NSS has caused it to no
> longer be able to correctly verify some valid signatures, but can still
> verify most other valid signatures.  This seems less likely to me than
> the previous conjecture, but I would like to test your cert with both
> the present and older versions of NSS to confirm or refute this
> possiblity.

The certificate actually works with Netscape 4.x (imaps), Netscape 6.2 
(imaps,"pop3s ?"), kmail (imaps, "pop3s ?") and versions of Outlook which I 
personally don't use.

> Without a copy of your cert, I can only conjecture about the cause.
> Please file a bug against PSM in bugzilla and attach your server cert to
> it. Please be sure to explain exactly how you were using the cert, both in
> earlier versions of mozilla that worked and in the versions that failed.

There is no change on my side.

> If you could make your server available to us for testing that might
> also help.  We would not need an actual account on the server for testing
> purposes, I believe.

It's the first time I get asked to fill up a bug report. Ok, I will look 
how to do it. But what have I exactly to do, to make testing possible for 
you? If needed I could give you a mail account too.

Are You interested in the way how I created the certificate? I just could 
post it too.

Thank-you for your answer.

>> Thanks Ingo
> 
> --
> Nelson Bolyard
> Disclaimer:                  I speak for myself, not for Netscape


Reply via email to