Koozali.org: home of the SME Server

Just wondering about ssl

Jan

Just wondering about ssl
« on: August 15, 2002, 12:38:03 PM »
Hello all,

Slightly off topic here but because I believe all who use ssl and are not paying $300,- a year to have their cert's certified by verisign may be looking for a solution for the following aswell.

I've installed ssl for my mail and all works like it did under 5.1.2., this includes the somewhat irritating fact I have to manually accept the selfsigned cert. every time I start my mail client en check my mail the first time around (in this case I use outlook).

I believe that webmail uses ssl also. With IExploder I just needed to install the cert. on this client browser once, that's all. No more nags!  I'm wondering why this can't be done on outlook. Is there a reghack that might help? Any other solution that might work?

Any help would be great!

Regards,

Jan

Nathan Fowler

Re: Just wondering about ssl
« Reply #1 on: August 15, 2002, 06:15:58 PM »
To quote some website I googled:

"... The solution is to install your own certificates into Windows on a permanent basis, thus preventing users from being continually prompted to accept certificates. And this is the point where things usually fall apart, since most applications, such as Outlook Express, do not have the ability to import certificates from a server -- leaving users to click "Use this server" every time they check for email.

Fortunately the answer is simple and quick. Using Internet Explorer, load the URL for the service; for example, with a SSL-enabled IMAP server running on "imap.example.com," place the following URL into the Address bar:

https://imap.server.com:993/

The users will be prompted with the normal certificate dialog, and if they choose to install the certificate it will then be available to Outlook Express and other applications that make use of the Windows certificate management.

The following is a list of common SSL-enabled services and their port numbers:

SSL IMAP 993
SSL POP 995
SSL HTTP 443
SSL SMTP 465
SSL NNTP 563
SSL LDAP 636

Point Internet Explorer at the server and the appropriate port; you will be able to install the certificate with ease. To make life easier for users, you can also export the certificates, allowing for distribution in custom builds of Internet Explorer, for example, or housed on a company Intranet site."

Damien Curtain

Re: Just wondering about ssl
« Reply #2 on: August 15, 2002, 06:35:38 PM »
Jan wrote:
>
> Hello all,
>
> Slightly off topic here but because I believe all who use ssl
> and are not paying $300,- a year to have their cert's
> certified by verisign may be looking for a solution for the
> following aswell.

Id hope no matter the price youd avoid verisign, theyre rippoffs.

> I've installed ssl for my mail and all works like it did
> under 5.1.2., this includes the somewhat irritating fact I
> have to manually accept the selfsigned cert. every time I
> start my mail client en check my mail the first time around
> (in this case I use outlook).
>
> I believe that webmail uses ssl also. With IExploder I just
> needed to install the cert. on this client browser once,
> that's all. No more nags!  I'm wondering why this can't be
> done on outlook. Is there a reghack that might help? Any
> other solution that might work?
>
> Any help would be great!

Lets say you have pop over ssl running on your server, what you can do is connect with internet explorer to the url https://yourserver:995 which then offers you a certificate dialog.

Then click 'view certificate' -> 'Install Certificate...' -> 'Next' -> 'Next' -> 'Finish' -> 'Yes' and your done.

Alternatively on the server you can always run:
openssl pkcs12 -export -in /usr/share/ssl/certs/.pem -out .p12 -name "server name"

eg:
openssl pkcs12 -export -in /usr/share/ssl/certs/securemail.pem -out /tmp/securemail.p12 -name "foo.pagefault.org"

and then I can just copy securemail.p12 to the client and double click on it and import it.
--
 Damien

Shelby Moore

Re: Just wondering about ssl
« Reply #3 on: August 15, 2002, 06:50:05 PM »
I also have a solution for the Outlook problem.  You can find my approach here:

http://www.v-cut.com/SME/HowTo/SSL-Certificates-on-SME.htm

Shelby

Nathan Fowler

Re: Just wondering about ssl
« Reply #4 on: August 15, 2002, 07:15:40 PM »
Damien, thank you for that tid-bit, that's very useful.  I've always wanted to export the certificate from the server, much appreciated.

Also on a side note, thank you for your CVM SASL contribution.

Thanks,
Nathan

Charlie Brady

Re: Just wondering about ssl
« Reply #5 on: August 15, 2002, 07:22:49 PM »
Shelby Moore wrote:

> I also have a solution for the Outlook problem.  You can find
> my approach here:
>
> http://www.v-cut.com/SME/HowTo/SSL-Certificates-on-SME.htm

A fine looking document.

I'm curious as to why you remove the existing certificates, and then more or less repeat the process by which they were created in the first place (except you do it "by hand"). What purpose does that serve? Or did I miss something?

Charlie

Jan

Re: Just wondering about ssl
« Reply #6 on: August 15, 2002, 07:31:53 PM »
Hello all,

Thanks for your reactions so far I've tried a few of them .... just no luck :-(

When using the https://imap.mydomain.com:993  I get an access denied message. Same thing with all the browser based soltions. Here's the situation:

Client is an XP-Pro with Outlook XP on the local network using SME as proxy. SME is in server only mode behind a router/firewall. Webmail prompted me to accept the ssl cert and I installed it, no prblems there anymore when reconnecting. The trouble is I don't know if Outlook even uses the certs form the browser because it seems to ignore them completely.

I also tried exporting the cert and that succeeded with no problem..... except outlook continues ignoring all installed certs.

I must be missing something very obvious but I just don't know what. Tell me when this goes too much in the direction of jus the M$-side.

With regards,

Jan

Nathan Fowler

Re: Just wondering about ssl
« Reply #7 on: August 15, 2002, 07:34:33 PM »
When installing the exported key, do not select allow Windows to automatically select the certificate store, but instead manually specify the "Trusted Root Certification Authorities" store. Once imported you may use Outlook or Outlook Express in conjunction with secure SMTP/POP3 without receiving the nag screens.

By default, it appears this key is imported as a "Personal Key".

Thanks,
Nathan

Jan

Re: Just wondering about ssl
« Reply #8 on: August 15, 2002, 07:55:58 PM »
Nathan,

Ok I tried it that way but somhow I still get prompted. It says (translating from dutch):

The server you are using is using a certificate that cannot be verified.

A certificate chain has been installed, however the chain terminates
in rootcertificate that is not trusted by your trustprovider.

Continue anyway .......

Maybe you know what's wrong here ... hope so ;-)

with regards,

Jan

Nathan Fowler

Re: Just wondering about ssl
« Reply #9 on: August 15, 2002, 07:58:30 PM »
When you exported the certificate and specified the server name, make sure you are specifying the exact same name you are using for connecting for Secure POP/SMTP, also, look at your Trusted Certificate store and ensure you have the installed certificate listed.  Also, remove it the installed certificate from your personal certificates.

Let me know, I did it on 2000 and it worked, haven't tried XP yet.

Hope this helped,
Nathan

Jan

Re: Just wondering about ssl
« Reply #10 on: August 15, 2002, 08:22:26 PM »
All,

Thank you for your help. I should take a short break.... tomorrow I'l try again. Having seen all the info provided here I should be able to get it working. Once I do get it working I'll post it here.

Regards,

Jan

Shelby Moore

Re: Just wondering about ssl
« Reply #11 on: August 15, 2002, 10:21:35 PM »
First I am a Linux Newbie, and this was a while ago as you can see by the date on the HowTo.  And truthfully this was my stab in the dark back then for a solution. (Which seems to work)  Any input you would like to give would be great, as I am trying to learn all I can about Linux and how this all works.

If I remember correctly it goes back to the common name.  The default certificate generated by SME has a common name of:  secure.mydomain.com.  Which means if you log into https://www.mydomain.com you get a nag screen about the security certificate name not matching the name of the site, even if you have properly imported the certificate.  (This is in IE anyway)

In order for you not to get the nag screens you need to create a new certificate with the correct common name of:  www.mydomain.com

Hope this helps clears it up, or shows were I may need to learn a thing or two.

Thanks,

Shelby

Tom Carroll

Re: Just wondering about ssl
« Reply #12 on: August 27, 2002, 02:50:38 PM »
Shelby, I noticed the same problem with the "The name on the security certificate is invalid or does not match the name of the site." within IE.

I tried recreating the certificate using secure.mydomain.com for a common name and it still shows that detail.

I think it may be the way apache is configured on SME.  It sets a virtual domain on port 443 of secure.mydomain.com, when in I think port 443 automatically translates to https://www.mydomain.com.  I believe this because if I type in http://secure.mydomain.com/webmail or https://secure.mydomain.com/webmail I get a DNS error.

Then again, I too am a Linux newbie and I'm just trying to figure things out...

Tom

P.S.  Thanks for a great how-to!

Bill Talcott

Re: Just wondering about ssl
« Reply #13 on: October 04, 2002, 09:52:32 PM »
Jan wrote:
>
> Nathan,
>
> Ok I tried it that way but somhow I still get prompted. It
> says (translating from dutch):
>
> The server you are using is using a certificate that cannot
> be verified.
>
> A certificate chain has been installed, however the chain
> terminates
> in rootcertificate that is not trusted by your trustprovider.
>
> Continue anyway .......
>
> Maybe you know what's wrong here ... hope so ;-)
>
> with regards,
>
> Jan

I just did the stuff for email over SSL too, and am running into the same problem. Even if I specify "mail.mydomain.com" when I export the .p12 file, the imported cert says just "domain.com", as verified by the "Couldn't be verified" error in Outlook Express, and by the IE popup with "http://mail.mydomain.com:993". I guess I need to add "mail.mydomain.com" to the existing cert, or make a new cert just for "mail.mydomain.com". How would I go about doing that? I'm running 5.0u6 by the way.

Bill Talcott

Re: Just wondering about ssl
« Reply #14 on: October 05, 2002, 01:35:57 AM »
Hmmmm...  I remade the cert using mail.mydomain.com as the common name again, and reinstalled it in the trust store of the PC again, and rebooted both the SME and my PC, and now OE's SSL seems to be working with mail.mydomain.com. I'm not sure exactly what I did that made it work, but it does now...