[VWNC 7.5] SMTPS Exception: CA Not In Trust List!
Locked
 
|
Hi, I've been testing gmail smtp with newly installled VW7.5 and while DoIt this:
message := MailMessage newTextPlain.
message from: [hidden email]; to: [hidden email]; subject: 'test gmail using vw75'; text: 'This is my first try on smtps'; yourself. smtpClient := SMTPClient host: 'smtp.gmail.com'. smtpClient user: (NetUser username: [hidden email] password: 'password' ). smtpClient useSecureConnection. smtpClient send: message I always get an exception CA Not In Trust List!, which I find a paragragh of discussion on realease not pdf document but I can't understand what to do the next.
By the way, the message sometimes get sent after I hit proceed button and then get another exception. However, pop with google pass through smoothly.
Any suggestion? Thanks in advance!
-- Best Regards, Jim G |
R: [VWNC 7.5] SMTPS Exception: CA Not In Trust List!
|
|
Hi, Jim, I don’t know if some of
these info cam help. I had this problem on 7.4
/7.4.1 for using web services on a HTTPS link. I got this answer from Edward
Stow: ------------ included
text ----------------------- Giorgio, The issues you
are facing are due the https protocol http over ssl. Firefox and other
browsers are installed with a good number of root certificate authorites (CA)
issued by companies like Verisgn, Thwarte etc. VW is installed
without any root certificates - and so - cannot verify the certificates that
are exchanged from the server to the client. It would be very,
very nice if VW was installed with the common root authorities -- and so save
Giorgio and myself (from past experience) having to learn how to obtain and
install the certificates. Answers to
similiar problems are at: http://www.parcplace.net/list/vwnc-archive/0512/msg00099.html ------------ END included
text ----------------------- And I got also some
explanation by Martin Kobetic, still on the list, so you can find it on the
archives : ------------ START included
text ----------------------- I understand the sentiment,
but this is easier said than done. Setting up the trusted CA registry is a very
sensitive task from the security point of view. I have no idea what is the
process that Microsoft uses to maintain that registry for Windows, but I sure
hope it is a highly secured and thorough process. The certificate set should be
regularly reviewed and updated promptly in response to certificate revocations
as they come. This is something that we just don't have the resources for at
Cincom. I'd much rather annoy our customers out of ignorance of these issues
than end up being liable for some security disaster down the road, because our
disclaimers and warnings weren't big, red and flashy enough. So we choose
(arguably simpler for us, but hopefully safer in the long run for you as well)
way of trying to explain the issue well enough along with providing some hints
of simpler (less secure) ways of achieving necessary setup if you can afford
it. It's mentioned in those posts that you linked to (section Handshake and
Certificates in the Security.pdf from VW7.4 on). Yes, X.509 certificates
deserve a dedicated chapter on their own and shouldn't be buried inside the SSL
one, but we'll get there. I think the best we could
do is trying to hook-up with certificate stores of the underlying OS, assuming
that the host is maintained with at least the same level of security as the
application running on it requires (of course it's not clear that's a good
general assumption). However that is wildly different between ------------ END included
text ----------------------- So the problem could
still be that you have to load the certificates manually. I had to find my one
from the InternetExplorer repossitory and finally got the connection. Hope this helps Ciao Giorgio Da: Jim Guo
[mailto:[hidden email]]
I've been testing gmail smtp with newly installled VW7.5 and while DoIt
this: message := MailMessage newTextPlain. I always get an exception CA Not In Trust List!, which I find a
paragragh of discussion on realease not pdf document but I can't understand
what to do the next. By the way, the message sometimes get sent after I hit proceed button
and then get another exception. However, pop with google pass through smoothly. Any suggestion? Thanks in advance!
No virus
found in this incoming message. No virus found in this outgoing message. |
|
|
2007/4/25, Giorgio Ferraris <[hidden email]>:
Thank you so much, Giorgio. It sounds like there's no easy way overcome that then.
-- Best Regards, Jim G |
|
|
Jim,
it seems like there is a way out of this problem as described by Martin Kobetic here http://www.parcplace.net/list/vwnc-archive/0512/msg00100.html Did someone tried to do what Martin described in that e-mail? Does it make sense to ask the X509Registry to find the root certificates by its own? Instead of doing it inside the inspector? Thanks. Federico Quoting Jim Guo <[hidden email]>: > 2007/4/25, Giorgio Ferraris <[hidden email]>: >> >> Hi, Jim, >> >> I don't know if some of these info cam help. >> >> I had this problem on 7.4 /7.4.1 for using web services on a HTTPS link. >> >> >> >> I got this answer from Edward Stow: >> >> ,............................................ >> > Thank you so much, Giorgio. It sounds like there's no easy way overcome that > then. > > -- > Best Regards, > > Jim G ---------------------------------------------------------------- Este mensaje ha sido enviado utilizando IMP desde LIFIA. |
RE: [VWNC 7.5] SMTPS Exception: CA Not In Trust List!
|
|
In reply to this post by J G
From: [hidden email]
> it seems like there is a way out of this problem as described by > Martin Kobetic here > http://www.parcplace.net/list/vwnc-archive/0512/msg00100.html > > Did someone tried to do what Martin described in that e-mail? I just tried this, and getting the trusted root CAs from IE is quite easy. Some (83 of 211) give various errors and warnings in VW, but I'll leave interpreting those to the experts. 1) Create and open a new c:\certs folder in Windows explorer 2) in IE, Tools | Internet Options | Content page | Certificates button 3) press Advanced, choose Export format = Base64 Encoded X.509 (*.cer), OK 4) choose the Trusted Root CAs page 5) Select all the certificates and drag and drop them into c:\certs 6) Load the X509 parcel, and run this code in a workspace: errDict := Dictionary new. (Filename filesMatching: 'c:\certs\*.cer') do: [:file | | b64 cert | [b64 := file asFilename contentsOfEntireFile. cert := Security.X509.Certificate fromBase64: b64. Security.X509.X509Registry default addCertificate: cert] on: Security.X509.X509Exception, ASN1.MarshalingError do: [:ex | (errDict at: ex class ifAbsentPut: [Dictionary new]) at: file put: ex. ex return: nil]]. 7) Inspect errDict to see the problem certificates, classified by the kind of Exception raised. BadCAConstraints and ExtensionShouldBeCritical might be things you want to ignore, but ask the experts. You can probably do the same for the revoked certificates page (#addRevoked:). There may also be a way to automate exporting the certificates, e.g. with COM Connect: http://www.aspencrypt.com/task_certs.html HTH, Steve |
|
|
In reply to this post by J G
Jim Guo wrote:
> > Hi, > I've been testing gmail smtp with newly installled VW7.5 and while DoIt > this: > > message := MailMessage newTextPlain. > message > from: '[hidden email]' <mailto:'[hidden email]'>; > to: '[hidden email]' <mailto:'[hidden email]'>; > subject: 'test gmail using vw75'; > text: 'This is my first try on smtps'; > yourself. > smtpClient := SMTPClient host: 'smtp.gmail.com <http://smtp.gmail.com>'. > smtpClient user: (NetUser username: '[hidden email]' > <mailto:'[hidden email]'> password: 'password' ). > smtpClient useSecureConnection. > smtpClient send: message > > I always get an exception CA Not In Trust List!, which I find a > paragragh of discussion on realease not pdf document but I can't > understand what to do the next. Yes, certificates and surrounding issues are badly under documented in VW. The only thing we currently have to offer are few paragraphs in the 'Handshake and Certificates' chapter of the doc/SecurityGuide.pdf. As others said already you need an X509Registry initialized with a set of trusted CA certificates. Or you have to simply proceed all the certificate exceptions, if you're OK with potentially compromised authentication. > By the way, the message sometimes get sent after I hit proceed button > and then get another exception. However, pop with google pass through > smoothly. There may be several certificate related exceptions raised during the authentication step. The idea is to allow an application to collect a list of all issues with the certificate, to be able to present them to the user at once, rather than one by one as the user retries. If you just proceed all of them, you should get through. Martin |
|
|
2007/4/26, Martin Kobetic <[hidden email]>:
There may be several certificate related exceptions raised during the authentication step. The idea is to allow an application to collect a list of all issues with the certificate, to be able to present them to the user at once, rather than one by one as the user retries. If you just proceed all of them, you should get through. Thank you a lot. I'm now trying out what Steven has described.
-- Best Regards, Jim G |
|
|
In reply to this post by fede-7
2007/4/25, Sean Glazier <[hidden email]>:
Thanks for details given. I've tried and it is OK now. Yes the actions described should work. -- Best Regards, Jim G |
|
|
In reply to this post by fede-7
2007/4/25, [hidden email] <[hidden email]>:
Jim, I've tried as others described in their answers and it works, Thanks! -- Best Regards, Jim G |
|
|
In reply to this post by J G
Jim Guo wrote:
> Thank you so much, Giorgio. It sounds like there's no easy way overcome > that then. I'm not sure what you mean, but it's not that hard, once you understand the issue. The steps were described in the thread pointed out by Edward. Feel free to ask if you need more help. Martin |
|
|
In reply to this post by fede-7
[hidden email] wrote:
> Does it make sense to ask the X509Registry to find the root certificates > by its own? Instead of doing it inside the inspector? What would be useful is be able to hook up to certificate registries on various OS-es, or at least read the CAs out of those. Maybe even default to that. I'm not convinced it's the "right" thing to do, but it certainly is an accepted norm. That of course is probably easier said than done. For example, we can read the .crt bundle from Apache installations easily enough (see CertificateFileReader), assuming we can find it, but I believe there are several of these scattered around the usual Linux file system. Which one should we go for ? And remember this is a fairly critical decision from security point of view. Martin |
R: [VWNC 7.5] SMTPS Exception: CA Not In Trust List!
|
|
In reply to this post by Steven Kelly
I did something close, after getting certificates from IE, I loaded the one I needed in this way: | certificate registry | registry := Security.X509.X509Registry new. certificate := Security.X509.Certificate fromFile: 'certificati\verysign.cer'. registry addCertificate: certificate. X509Registry default addCertificate: certificate. Quite similar to the Steven one, excluding the Base64 encoding. I don't remember the exact way I got my certificates from IE, looks like the way suggested by Steven (but at this time I'm wondering about Base64...). I followed at that time (around 9 months ago) some help from the net, and worked! It was on VW 7.4.1 Ciao Giorgio -----Messaggio originale----- Da: Steven Kelly [mailto:[hidden email]] Inviato: mercoledì 25 aprile 2007 16.37 A: [hidden email] Oggetto: RE: [VWNC 7.5] SMTPS Exception: CA Not In Trust List! From: [hidden email] > it seems like there is a way out of this problem as described by > Martin Kobetic here > http://www.parcplace.net/list/vwnc-archive/0512/msg00100.html > > Did someone tried to do what Martin described in that e-mail? I just tried this, and getting the trusted root CAs from IE is quite easy. Some (83 of 211) give various errors and warnings in VW, but I'll leave interpreting those to the experts. 1) Create and open a new c:\certs folder in Windows explorer 2) in IE, Tools | Internet Options | Content page | Certificates button 3) press Advanced, choose Export format = Base64 Encoded X.509 (*.cer), OK 4) choose the Trusted Root CAs page 5) Select all the certificates and drag and drop them into c:\certs 6) Load the X509 parcel, and run this code in a workspace: errDict := Dictionary new. (Filename filesMatching: 'c:\certs\*.cer') do: [:file | | b64 cert | [b64 := file asFilename contentsOfEntireFile. cert := Security.X509.Certificate fromBase64: b64. Security.X509.X509Registry default addCertificate: cert] on: Security.X509.X509Exception, ASN1.MarshalingError do: [:ex | (errDict at: ex class ifAbsentPut: [Dictionary new]) at: file put: ex. ex return: nil]]. 7) Inspect errDict to see the problem certificates, classified by the kind of Exception raised. BadCAConstraints and ExtensionShouldBeCritical might be things you want to ignore, but ask the experts. You can probably do the same for the revoked certificates page (#addRevoked:). There may also be a way to automate exporting the certificates, e.g. with COM Connect: http://www.aspencrypt.com/task_certs.html HTH, Steve No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.463 / Virus Database: 269.6.0/775 - Release Date: 24/04/2007 17.43 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.463 / Virus Database: 269.6.0/775 - Release Date: 24/04/2007 17.43 |
|
|
In reply to this post by Steven Kelly
Steven Kelly wrote:
> I just tried this, and getting the trusted root CAs from IE is quite > easy. Some (83 of 211) give various errors and warnings in VW, but I'll > leave interpreting those to the experts. Interesting, I never noticed the bulk export capability, interesting test case. I only have IE6 handy and I was able to read all 106 out of 106 there. Can you email me yours ? I'm curious about the failures. Martin |
|
|
In reply to this post by Giorgio Ferraris
Yes, IE usually offered both, a raw binary form or the same just base64 encoded. You can pick.
Martin Giorgio Ferraris wrote: > I did something close, after getting certificates from IE, I loaded the one > I needed in this way: > > | certificate registry | > registry := Security.X509.X509Registry new. > certificate := Security.X509.Certificate fromFile: > 'certificati\verysign.cer'. > registry addCertificate: certificate. > X509Registry default addCertificate: certificate. > > Quite similar to the Steven one, excluding the Base64 encoding. > I don't remember the exact way I got my certificates from IE, looks like the > way suggested by Steven (but at this time I'm wondering about Base64...). I > followed at that time (around 9 months ago) some help from the net, and > worked! > > It was on VW 7.4.1 |
RE: [VWNC 7.5] SMTPS Exception: CA Not In Trust List!
|
|
In reply to this post by kobetic
Could you cc me as well on that. I am curious as well.
Sean -----Original Message----- From: Martin Kobetic [mailto:[hidden email]] Sent: Wednesday, April 25, 2007 6:33 PM To: Steven Kelly Cc: [hidden email] Subject: Re: [VWNC 7.5] SMTPS Exception: CA Not In Trust List! Steven Kelly wrote: > I just tried this, and getting the trusted root CAs from IE is quite > easy. Some (83 of 211) give various errors and warnings in VW, but I'll > leave interpreting those to the experts. Interesting, I never noticed the bulk export capability, interesting test case. I only have IE6 handy and I was able to read all 106 out of 106 there. Can you email me yours ? I'm curious about the failures. Martin |
|
|
In reply to this post by kobetic
2007/4/26, Martin Kobetic <[hidden email]>: Jim Guo wrote: Special thanks for your kind help, Martin, I got up early this morning and have acted on those advices. SMTPS with gmail works for me now. Thanks to all, too! I've also learned more about Certificates. -- Best Regards, Jim G |
RE: [VWNC 7.5] SMTPS Exception: CA Not In Trust List!
|
|
In reply to this post by J G
From: Giorgio Ferraris [mailto:[hidden email]]
> I did something close, after getting certificates from IE, I loaded > the one I needed in this way: > > | certificate registry | > registry := Security.X509.X509Registry new. > certificate := Security.X509.Certificate fromFile: > 'certificati\verysign.cer'. > registry addCertificate: certificate. > X509Registry default addCertificate: certificate. Am I missing something, or is everything you do with the registry temp var redundant? Adding the certificate to #default should be enough. > Quite similar to the Steven one, excluding the Base64 encoding. I couldn't get it to work using the default .cer export on IE: the files were all binary, and looking for --BEGIN failed. Steve PS I've sent my certificates to Martin and Sean, as they requested. |
R: [VWNC 7.5] SMTPS Exception: CA Not In Trust List!
|
|
Hi, Steve,
I can't clear up your cloud :-( When I did that work, I had to find a running solution quick and dirty. I had help from the web and a lot from Martin Kobetic (tanks again, Martin). I did several try on a workspaces, and that was the end result, probably with something useless..., but working. After that I was able to connect using ssl. Ciao Giorgio PS: see you (and Martin) in Toronto perhaps? -----Messaggio originale----- Da: Steven Kelly [mailto:[hidden email]] Inviato: giovedì 26 aprile 2007 10.33 A: [hidden email] Oggetto: RE: [VWNC 7.5] SMTPS Exception: CA Not In Trust List! From: Giorgio Ferraris [mailto:[hidden email]] > I did something close, after getting certificates from IE, I loaded > the one I needed in this way: > > | certificate registry | > registry := Security.X509.X509Registry new. > certificate := Security.X509.Certificate fromFile: > 'certificati\verysign.cer'. > registry addCertificate: certificate. > X509Registry default addCertificate: certificate. Am I missing something, or is everything you do with the registry temp var redundant? Adding the certificate to #default should be enough. > Quite similar to the Steven one, excluding the Base64 encoding. I couldn't get it to work using the default .cer export on IE: the files were all binary, and looking for --BEGIN failed. Steve PS I've sent my certificates to Martin and Sean, as they requested. No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.463 / Virus Database: 269.6.1/776 - Release Date: 25/04/2007 12.19 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.463 / Virus Database: 269.6.1/776 - Release Date: 25/04/2007 12.19 |
| Free forum by Nabble | Edit this page |