Re: Invalid cert on IMAP
Hello Gary, On Tue, 12 Sep 2006 16:52:48 -0500 GMT (13/09/2006, 04:52 +0700 GMT), Gary wrote: G The protocol as you call it, (SSL, TLS) does not define that the certs have G to be valid, never has. It is the client, TB!, that has decided for me not G to accept it. It should be always up to the user to accept *any* cert. Every G email client I have ever used with IMAP (about 30+ of them), over the last G 10 years, allows one to accept a cert for whatever reason, if I so choose, G either on a temp or permanent basis, EXCEPT TB! I don't know about IMAP. But I second the motion that the user should have the option to accept an invalid certificate, for whatever reason. It's the user's responsibility if he compromises his system, and I am certainly against being nannied by a software that is used by email professionals. -- Cheers, Thomas. SYMPTOM: Floor blurred. FAULT: You are looking through bottom of empty glass. ACTION: Get someone to buy you another beer. http://thomas.fernandez.hat-gar-keine-homepage.de/ Message reply created with The Bat! 3.85.03 under Windows XP 5.1 Build 2600 Service Pack 2 Current beta is 3.85.03 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/
Re: Invalid cert on IMAP
On Wed, Sep 13, 2006 at 08:00:20PM +0700 or thereabouts, Thomas Fernandez wrote: Hi Thomas, On Tue, 12 Sep 2006 16:52:48 -0500 GMT (13/09/2006, 04:52 +0700 GMT), Gary wrote: G The protocol as you call it, (SSL, TLS) does not define that the certs have G to be valid, never has. It is the client, TB!, that has decided for me not G to accept it. It should be always up to the user to accept *any* cert. Every G email client I have ever used with IMAP (about 30+ of them), over the last G 10 years, allows one to accept a cert for whatever reason, if I so choose, G either on a temp or permanent basis, EXCEPT TB! I don't know about IMAP. But I second the motion that the user should have the option to accept an invalid certificate, for whatever reason. hear, hear :) It's the user's responsibility if he compromises his system, and I am certainly against being nannied by a software that is used by email professionals. In the case of email, there is really nothing to compromise... I or anyone still has to authenticate into the system. SSL just provides me a way so that no one else can possibly listen in :) Sometimes you will come across a website using SSL, and your browser will tell you the cert is outdated or does not match, or whatever reason... you certainly have the option to click through this to see or use the site. This is similar to email, in that you have an option to use the cert or not, and you still have the original intended security as you have to auth... I could not agree with you more on your above statement :) The reality of it is that I cannot use it because of they way it is currently, and this is crazy. I just love it when a program tries to protect me from myself.. let alone the fact that I have been building IMAP, email, DNS servers professionally now in Unix/Linux, for what... 8 or 10 years. -- Gary Current beta is 3.85.03 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/
Re: Invalid cert on IMAP
Hi Gary! This is wrong.. it should ***ALWAYS*** be left to the user to decide whether to continue to use any cert, whether expired, or incorrect name, or whatever reason Well, that depends on the protocol. It is not always up to the user to decide if the protocol (SSL, TLS, whatever) has defined that all certs used have to be valid and an expired cert isn't valid. What if a user can use even an revoked certificate? That would break any security policies. -- Regards, Raymund Current beta is 3.85.03 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/
Re: Invalid cert on IMAP
Hi Raymund, On Tue, 12 Sep 2006 23:28:20 +0200 UTC (9/12/2006, 4:28 PM -0500 UTC my time), Raymund Tump wrote: This is wrong.. it should ***ALWAYS*** be left to the user to decide whether to continue to use any cert, whether expired, or incorrect name, or whatever reason R Well, that depends on the protocol. what protocol is that? RFC 2060 or 3501, or what? R It is not always up to the user to decide if the protocol (SSL, TLS, R whatever) has defined that all certs used have to be valid and an expired R cert isn't valid. The protocol as you call it, (SSL, TLS) does not define that the certs have to be valid, never has. It is the client, TB!, that has decided for me not to accept it. It should be always up to the user to accept *any* cert. Every email client I have ever used with IMAP (about 30+ of them), over the last 10 years, allows one to accept a cert for whatever reason, if I so choose, either on a temp or permanent basis, EXCEPT TB! R What if a user can use even an revoked certificate? That would break R any security policies. what security policies in IMAP(s)? Any user who has an IMAP account, has to provide auth to get into his account in the first place. SSL provides a secure mechanism for this, that's all it does. If this server was set up to provide just normal IMAP on port 143, I would have no problems getting in. Like I said, TB! is keeping me from making that decision, and I cannot log onto a remote IMAPs account, even though I have to be authorized by passwrd ... so TB! is useless to me currently. -- Gary Current beta is 3.85.03 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/
Invalid cert on IMAP
Hi ya'll, Well, just installed the new TB, and I logged onto a distant IMAPS server using SSL on port 993... just like I have done for years... Since the 2 year SSL cert has just expired on this server, I cannot log on, (set up for SSL only) as TB says handshake failure. invalid server cert... (cert has expired).. even though the cert is in my root cert chain in TB, and has been for years. This is wrong.. it should ***ALWAYS*** be left to the user to decide whether to continue to use any cert, whether expired, or incorrect name, or whatever reason now, I cannot use IMAPS with this one remote IMAPS server because it just expired.. nothing ticks me off more than a program trying to protect me from something. No other IMAP client does this. So just how am I supposed to get my mail from this IMAPS server during the weekend, or until the owner of the server changes his cert? Answer, use a IMAP efficient client. I should decide what I want to use and when regarding certs, not TB! TB! is useless for me currently. -- Regards, Gary Current beta is 3.85.03 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/