I have finally got around to experimenting (with some sub-domains) with the
C mail servers, and hence the various webmail interfaces. 

Suppose I go to:

  https://blue.wingsandbeaks.org.uk.mail.aaisp.net.uk/ 


Using Firefox 3.5.3, I then get told that the site is 'untrusted' because of
a certificate problem.  I'm shown 'technical details'

  blue.wingsandbeaks.org.uk.mail.aaisp.net.uk uses an invalid 
  security certificate.

  The certificate is only valid for the following names:
    *.net.uk.mail.aaisp.net.uk , *.co.uk.mail.aaisp.net.uk ,
    *.org.uk.mail.aaisp.net.uk , *.me.uk.mail.aaisp.net.uk ,
    *.ltd.uk.mail.aaisp.net.uk , *.ac.uk.mail.aaisp.net.uk ,
    *.plc.uk.mail.aaisp.net.uk , *.com.mail.aaisp.net.uk ,
    *.net.mail.aaisp.net.uk , *.org.mail.aaisp.net.uk ,
    *.info.mail.aaisp.net.uk , *.gg.mail.aaisp.net.uk ,
    *.nu.mail.aaisp.net.uk , *.biz.mail.aaisp.net.uk ,
    *.mail.aaisp.net.uk , smtp.aaisp.net.uk  

   (Error code: ssl_error_bad_cert_domain)



Before you tell me I have to install the CAcert certificate, I did that last
night (after which I was able to use this webpage) and both machines I've
tried this on have been rebooted since.  

If in Firefox, I go to Tools -> Options -> Advanced -> Encryption -> View
Certificates, then on each machine there /is/ one called "Root CA".


So, what now?


-- 
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to newsreplynnn@wingsandbeaks.org.uk replacing "nnn" by "284".

On Mon, 2009-11-02 at 13:30 퍍, Jeremy Nicoll - news posts wrote:
> 
> Using Firefox 3.5.3, I then get told that the site is 'untrusted' because of
> a certificate problem.  I'm shown 'technical details'
> 
>   blue.wingsandbeaks.org.uk.mail.aaisp.net.uk uses an invalid 
>   security certificate. 

Didn't firefox stop accepting wildcard certificates by default?

-- 
dwmw2

David Woodhouse  wrote:
> On Mon, 2009-11-02 at 13:30 +0000, Jeremy Nicoll - news posts wrote:
>> 
>> Using Firefox 3.5.3, I then get told that the site is 'untrusted' because of
>> a certificate problem.  I'm shown 'technical details'
>> 
>>   blue.wingsandbeaks.org.uk.mail.aaisp.net.uk uses an invalid 
>>   security certificate. 
> 
> Didn't firefox stop accepting wildcard certificates by default?

I thought this was odd, because we rely on wildcard certs for various
bits at ork and haven't had any problem reports, and I found

http://www.sslshopper.com/article-ssl-certificates-in-firefox-3.5.html

which claims that this is only the case for multi-level wildcarding,
ie foo.bar.example.org would not be accepted with a cert CN of
*.example.org, but quux.example.org would be.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Jeremy Nicoll - news posts wrote:
> I have finally got around to experimenting (with some sub-domains) with the
> C mail servers, and hence the various webmail interfaces. 
> 
> Suppose I go to:
> 
>   https://blue.wingsandbeaks.org.uk.mail.aaisp.net.uk/ 
> 
> 
> Using Firefox 3.5.3, I then get told that the site is 'untrusted' because of
> a certificate problem.  I'm shown 'technical details'
> 
>   blue.wingsandbeaks.org.uk.mail.aaisp.net.uk uses an invalid 
>   security certificate.
> 
>   The certificate is only valid for the following names:
>     *.net.uk.mail.aaisp.net.uk , *.co.uk.mail.aaisp.net.uk ,
>     *.org.uk.mail.aaisp.net.uk , *.me.uk.mail.aaisp.net.uk ,
>     *.ltd.uk.mail.aaisp.net.uk , *.ac.uk.mail.aaisp.net.uk ,
>     *.plc.uk.mail.aaisp.net.uk , *.com.mail.aaisp.net.uk ,
>     *.net.mail.aaisp.net.uk , *.org.mail.aaisp.net.uk ,
>     *.info.mail.aaisp.net.uk , *.gg.mail.aaisp.net.uk ,
>     *.nu.mail.aaisp.net.uk , *.biz.mail.aaisp.net.uk ,
>     *.mail.aaisp.net.uk , smtp.aaisp.net.uk  
> 
>    (Error code: ssl_error_bad_cert_domain)
> 
> 
> 
> Before you tell me I have to install the CAcert certificate, I did that last
> night (after which I was able to use this webpage) and both machines I've
> tried this on have been rebooted since.  
> 
> If in Firefox, I go to Tools -> Options -> Advanced -> Encryption -> View
> Certificates, then on each machine there /is/ one called "Root CA".
> 
> 
> So, what now?
> 
> 

Firefox (and maybe other browsers) match wildcard domains only against a
single host, and not a subdomain of that host.

eg
 *.org.uk.mail.aaisp.net.uk
matches:
 wingsandbeaks.org.uk.mail.aaisp.net.uk

but it does not match:
 blue.wingsandbeaks.org.uk.mail.aaisp.net.uk

You'll need to add an exception, which Firefox will allow you to do.

-- 
Andrew

Andrew Hearn  wrote:

> Firefox (and maybe other browsers) match wildcard domains only against a
> single host, and not a subdomain of that host.
> 
> eg
>  *.org.uk.mail.aaisp.net.uk
> matches:
>  wingsandbeaks.org.uk.mail.aaisp.net.uk
> 
> but it does not match:
>  blue.wingsandbeaks.org.uk.mail.aaisp.net.uk
> 
> You'll need to add an exception, which Firefox will allow you to do.

OK, if that's the only way...   

Can I then suggest that on webpages: http://www.aaisp.net.uk/cacert.html &
http://aa.nu/cacert.html where you advise people that adding the CAcert
certificate to their browser will solve the problem:

  If you do this then our site will no longer get a warning, and
  neither will any others that use CAcert. This is obviously what
  we would recommend.

that this solution only applies to domains and not sub-domains, and give an
example (like above) for those who don't understand what that means.  This
might stop others from embarking on a wild goose chase.

Thanks for the reply!


-- 
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to newsreplynnn@wingsandbeaks.org.uk replacing "nnn" by "284".