On 03/23/2013 09:38 PM, Philonous Atio wrote: > I agree with dkg that "this sounds to me like a bug in the logic of the > upgraded version of NSS." It needs to be fixed>
Please read the rest of my comments in this bug, Philonous -- i think
you should have the remote server's certificate loaded in your "Servers"
tab, not in your "Authorities" tab. if you have it in your "Servers"
tab, and you use "Edit Trust..." to "Trust the authenticity of this
certificate", then even an MD5 self-signed cert should work for you.
You should *not* rely on these self-signed certificates as authorities,
because that gives anyone who takes control over the server's secret key
material to impersonate any other server on the internet. On the other
hand, if you mark it as a known-valid peer, it will only be able to work
for hostnames which match the hostnames in the certificate itself.
--dkg
signature.asc
Description: OpenPGP digital signature
