7:50 a.m.
Hello
I can not sync my Nokia N900 with horde groupware edition, which runs on my server, as
long as I try to establish connection over https. Connection without SSL or using the
SSLVerifyServer=0 option does the job, so I guess the problem can not lies elswhere by
some wrong settings.
The certificate is self-signed and there are no problems with other programs like web
browser. I imported the certificate manualy and I can confirm the certificate is placed
under /home/user/.maemosec-certs/ssl-ca. I also compared the imported certificate with the
original one from my server and there are no differences. So I put
"SSLServerCertificates = /home/user/.maemosec-certs/ssl-ca" in the settings. But
every sync-attemp ends with a "transport failed,retry period exceeded" error.
I found this message
http://www.mail-archive.com/syncevolution@syncevolution.org/msg01952.html so probably I am
doing something wrong. But I am not able to figure out what.
If I do not use the SSL connection but set the MD5 athentication method - will this be as
safe, as the SSL connection ?
Any help would be appreciated, thanks in advance Karel
9:17 a.m.
New subject: [SyncEvolution] problems with self-signed certificate with syncevolution on Nokia n900
On 07/28/2011 04:50 PM, karlitos(a)seznam.cz wrote:
I can not sync my Nokia N900 with horde groupware edition, which runs
on my server, as long as I try to establish connection over https. Connection without SSL
or using the SSLVerifyServer=0 option does the job, so I guess the problem can not lies
elswhere by some wrong settings.
The certificate is self-signed and there are no problems with other programs like web
browser. I imported the certificate manualy and I can confirm the certificate is placed
under /home/user/.maemosec-certs/ssl-ca. I also compared the imported certificate with the
original one from my server and there are no differences. So I put
"SSLServerCertificates = /home/user/.maemosec-certs/ssl-ca" in the settings. But
every sync-attemp ends with a "transport failed,retry period exceeded" error.
I think SSLServerCertificates needs to name a file, not a directory.
7:53 a.m.
----------------------------------------
On 07/28/2011 04:50 PM, karlitos(a)seznam.cz wrote:
> I can not sync my Nokia N900 with horde groupware edition, which runs on my
server, as long as I try to establish connection over https. Connection without
SSL or using the SSLVerifyServer=0 option does the job, so I guess the problem
can not lies elswhere by some wrong settings.
> The certificate is self-signed and there are no problems with other programs
like web browser. I imported the certificate manualy and I can confirm the
certificate is placed under /home/user/.maemosec-certs/ssl-ca. I also compared
the imported certificate with the original one from my server and there are no
differences. So I put "SSLServerCertificates =
/home/user/.maemosec-certs/ssl-ca" in the settings. But every sync-attemp ends
with a "transport failed,retry period exceeded" error.
I think SSLServerCertificates needs to name a file, not a directory.
_______________________________________________
SyncEvolution mailing list
SyncEvolution(a)syncevolution.org
http://lists.syncevolution.org/listinfo/syncevolution
Hello
The settings :
SSLServerCertificates =
/home/user/.maemosec-certs/ssl-ca/e4e5d73510589463ae16c97f95f112461e2b4723.pem
SSLVerifyHost = 0
solved my problem on my N900. But are those settings not some sort of
security-vulnerability ? Or what can I do, that the SSL certificate does properly match
the hostname ?
Now I have the same problem with Syncevolution under Ubuntu. I also did :
SSLVerifyHost = 0
but every time I would like to sync I got :
[2011-07-31 16:34:19.616] SoupTransport Failure: https://lenis.homelinux.net/horde/rpc.php
via libsoup: The SSL certificate does not match the hostname.
[2011-07-31 16:34:19.617] Transport giving up after 0 retries and 0:00min
[2011-07-31 16:34:19.618] TransportException thrown at
/work/runtests/head/syncevolution/src/syncevo/SyncContext.cpp:3478
Any Ideas ?
11:42 a.m.
New subject: [SyncEvolution] problems with self-signed certificate with syncevolution on Nokia n900
Den 31. juli 2011 16:53, skrev karlitos(a)seznam.cz:
Hello
The settings :
SSLServerCertificates =
/home/user/.maemosec-certs/ssl-ca/e4e5d73510589463ae16c97f95f112461e2b4723.pem
SSLVerifyHost = 0
solved my problem on my N900. But are those settings not some sort of
security-vulnerability ?
Probably. If you have a broken certificate and you want your software to
accept the certificate anyway, then, naturally, the only way to do that
is to reduce security.
Or what can I do, that the SSL certificate does properly match the
hostname ?
Well, obviously either the hostname or the certificate have to be
changed to match the other...
12:01 a.m.
On So, 2011-07-31 at 16:53 +0200, karlitos(a)seznam.cz wrote:
Now I have the same problem with Syncevolution under Ubuntu. I also
did :
SSLVerifyHost = 0
but every time I would like to sync I got :
[2011-07-31 16:34:19.616] SoupTransport Failure:
https://lenis.homelinux.net/horde/rpc.php via libsoup: The SSL certificate does not match
the hostname.
[2011-07-31 16:34:19.617] Transport giving up after 0 retries and 0:00min
[2011-07-31 16:34:19.618] TransportException thrown at
/work/runtests/head/syncevolution/src/syncevo/SyncContext.cpp:3478
libsoup doesn't allow fine-grained SSL checking. It is either on or off.
You'll also have to set "SSLVerifyPeer = 0" to turn if off.
Admittedly this needs to go into the docs somewhere. Not sure where,
though. Where would you have looked for such information?
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
12:12 p.m.
----------------------------------------
On So, 2011-07-31 at 16:53 +0200, karlitos(a)seznam.cz wrote:
> Now I have the same problem with Syncevolution under Ubuntu. I also did :
>
> SSLVerifyHost = 0
>
> but every time I would like to sync I got :
>
>
> [2011-07-31 16:34:19.616] SoupTransport Failure:
https://lenis.homelinux.net/horde/rpc.php via libsoup: The SSL certificate does
not match the hostname.
> [2011-07-31 16:34:19.617] Transport giving up after 0 retries and 0:00min
> [2011-07-31 16:34:19.618] TransportException thrown at
/work/runtests/head/syncevolution/src/syncevo/SyncContext.cpp:3478
libsoup doesn't allow fine-grained SSL checking. It is either on or off.
You'll also have to set "SSLVerifyPeer = 0" to turn if off.
Admittedly this needs to go into the docs somewhere. Not sure where,
though. Where would you have looked for such information?
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
So SSLVerifyHost = 0 is not the same as SSLVerifyPeer = 0 ? And what is with
SSLVerifyServer = 0 option ?
But as Ove Kåven said it will be viser to create a new certificate with the right
hostname. I created the certificate with a script from the cherokee-webserver package and
I do not see any option to set the hostname :
Generating RSA private key, 2048 bit long modulus
.............................................................+++
.............................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Getting Private key
12:28 p.m.
On Mo, 2011-08-01 at 21:12 +0200, karlitos(a)seznam.cz wrote:
So SSLVerifyHost = 0 is not the same as SSLVerifyPeer = 0 ? And what
is with SSLVerifyServer = 0 option ?
No, they are different. SSLVerifyHost disables less than
SSLVerifyServer:
$ syncevolution SSLVerifyServer=? SSLVerifyHost=?
'SSLVerifyServer=?'
The client refuses to establish the connection unless
the server presents a valid certificate. Disabling this
option considerably reduces the security of SSL
(man-in-the-middle attacks become possible) and is not
recommended.
'SSLVerifyHost=?'
The client refuses to establish the connection unless the
server's certificate matches its host name. In cases where
the certificate still seems to be valid it might make sense
to disable this option and allow such connections.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
1:03 p.m.
I undertsnad this, but in the previous message you wrote about SSLVerifyPeer = 0. Or does
this mean Peer = Server ?
I would rather create propper certificate than disable the server verification, still do
not how. I try to ask somewhere else.
----------------------------------------
On Mo, 2011-08-01 at 21:12 +0200, karlitos(a)seznam.cz wrote:
> So SSLVerifyHost = 0 is not the same as SSLVerifyPeer = 0 ? And what is with
SSLVerifyServer = 0 option ?
No, they are different. SSLVerifyHost disables less than
SSLVerifyServer:
$ syncevolution SSLVerifyServer=? SSLVerifyHost=?
'SSLVerifyServer=?'
The client refuses to establish the connection unless
the server presents a valid certificate. Disabling this
option considerably reduces the security of SSL
(man-in-the-middle attacks become possible) and is not
recommended.
'SSLVerifyHost=?'
The client refuses to establish the connection unless the
server's certificate matches its host name. In cases where
the certificate still seems to be valid it might make sense
to disable this option and allow such connections.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
10:46 p.m.
On Mo, 2011-08-01 at 22:03 +0200, karlitos(a)seznam.cz wrote:
I undertsnad this, but in the previous message you wrote about
SSLVerifyPeer = 0. Or does this mean Peer = Server ?
Oh sorry. Yes, I meant SSLVerifyServer.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
3552
days inactive
3557
days old
syncevolution@synevolution.org
9 comments
3 participants
participants (3)
-
karlitos@seznam.cz -
Ove Kåven -
Patrick Ohly