Quarter Life Crisis
The world according to Sven-S. Porst
« Documents • Main • Reads »
SSL¶
439 words
This is actually mentioned in the help for Apple's Mail program but I can't find it anymore and nobody in their right mind would look there for advanced information anyway...
The danger with system upgrades is that they break things. They won't break the whole system but the behaviour of the system will change more or less subtly here and there, things start to behave strangely and look broken this way. OS X.3 is no exception there. My dad checks his work e-mail via an SSL encrypted POP3 connection. This used to work just fine in X.2. In X.3, however, Mail would complain about the certificate used by the mail server.
Apparently, they had generated that certificate themselves and it wasn't signed by an 'authority', so Mail considers it invalid. While this may be a good idea security-wise, having Mail come up with a dialogue asking what to do about that certificate every time the application is launched isn't nice. It will look like a blatantly bad idea if the person using that computer is absolutely allergic to changes that make it harder to use.
Thus, I saw myself going to the net and find information about that strange 'X509' keychain thing, obscure terminal commands and learning enough about certificates to actually extract the mail server's certificate from Mail. Ugh. No fun. But then I stumbled across that section in Mail's help:
Whenever you're presented with a window asking things about a certificate and that is capable of displaying the certificate's information there will be an icon displayed for the certificate. This isn't just for decoration but it is in fact draggable. Dragging it to the desktop will give you a text clipping containing the information displayed in the window. Holding option and dragging it to the desktop will create a '.cer' machine readable file containing the certificate.
It can be double clicked in the Finder and be imported into the keychain that way. If you're lucky, the keychain application will give you the option to add the certificate to the 'X509' keychain after entering your administrator password. Once you've done this you won't be bothered again.
The caveat in the previous paragraph was 'if you're lucky'. Somehow this option isn't given for all certificates. E.g. when trying to use an SSL encrypted POP connection with the GMX web mail service the option isn't available. I don't understand why this happens, but it does. Also, I wonder whether the same technique could in theory by used by Safari to permanently trust web site whose certificates can't be verified by the program. More information on this topic will be appreciated.
