Bug#703587: libnss3 update disables some (self signed) certs (with Icedove)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Mar 24 05:41:34 UTC 2013
On 03/23/2013 09:38 PM, Philonous Atio wrote:
> I agree with dkg that "this sounds to me like a bug in the logic of the
> upgraded version of NSS." It needs to be fixed>
Please read the rest of my comments in this bug, Philonous -- i think
you should have the remote server's certificate loaded in your "Servers"
tab, not in your "Authorities" tab. if you have it in your "Servers"
tab, and you use "Edit Trust..." to "Trust the authenticity of this
certificate", then even an MD5 self-signed cert should work for you.
You should *not* rely on these self-signed certificates as authorities,
because that gives anyone who takes control over the server's secret key
material to impersonate any other server on the internet. On the other
hand, if you mark it as a known-valid peer, it will only be able to work
for hostnames which match the hostnames in the certificate itself.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20130324/42c15c9e/attachment.pgp>
More information about the pkg-mozilla-maintainers
mailing list