By default, Bugzilla does not search the list of RESOLVED bugs.
You can force it to do so by putting the upper-case word ALL in front of your search query, e.g.: ALL tdelibs
We recommend searching for bugs this way, as you may discover that your bug has already been resolved and fixed in a later release.
Bug 1106 - TDE should use system SSL certificates instead of now rather elderly ex-KDE bundle (patch)
Summary: TDE should use system SSL certificates instead of now rather elderly ex-KDE b...
Status: RESOLVED FIXED
Alias: None
Product: TDE
Classification: Unclassified
Component: tdelibs (show other bugs)
Version: 3.5.13 [Trinity]
Hardware: Other Other
: P5 normal
Assignee: Timothy Pearson
URL:
Depends on:
Blocks:
 
Reported: 2012-07-14 14:12 CDT by Nick Leverton
Modified: 2013-07-24 12:12 CDT (History)
3 users (show)

See Also:
Compiler Version:
TDE Version String:
Application Version:
Application Name:

Attachments
Patch for Debian KDE4, something very similar should fit Trinity (1.64 KB, patch)
2012-07-14 14:12 CDT, Nick Leverton 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Leverton 2012-07-14 14:12:31 CDT 
Created attachment 704 [details]
Patch for Debian KDE4, something very similar should fit Trinity

I think we may have discussed this issue previously on a mailing list but on a quick search I can't find the thread.  My memory suggests that we updated the TDE certificates bundle (tdelibs/kio/kssl/kssl/caroot/ca-bundle.crt, installed to /opt/trinity/share/apps/kssl/ca-bundle.crt) to match the bundle in the then-current KDE4.

However even that list is out of data and essentially unmaintained.  Especially with recent certificate authority compromises, I feel it is important to have a regularly maintained certificate bundle.  To avoid taking this burden on the Trinity project, it would probably be preferable for TDE to use the distro SSL certificates list where there is one.

In Debian/Ubuntu this is in /etc/ssl/certs/ca-certificates.crt, provided by ca-certificates package.  I believe Fedora has an equivalent though I don't have a Fedora machine here to check.  Other distros may need investigation but except for Gentoo are probably based on one of the above two anyway.

As an experiment I symlinked /etc/ssl/certs/ca-certificates.crt from Debian Testing in place of /opt/trinity/share/apps/kssl/ca-bundle.crt, and all the sites that used to give "unknown signing authority" warnings now validate perfectly.

One issue that would be outstanding is that the SSL config code takes a private copy of the certificate bundle if you modify it, but I believe this is a separate issue anyway, and already existed in both KDE 3 and 4 when the KDE embedded certificate list changes.  The .kde->.trinity user migration tool, when completed, should perhaps be aware though and offer to update the user certificates to the new defaults.

Some references found during this investigation:

Red Hat Bug 521902: kdelibs: use ca-certificates' ca-bundle.crt
https://bugzilla.redhat.com/show_bug.cgi?id=521902

Debian bug 348892: kdelibs-data: please use SSL/TLS certificates from ca-certificates package
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348892

Debian bug 511597: same issue for kdelibs5, with a patch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511597

Debian wiki: Crypto certificate issues page
http://wiki.debian.org/Cryptography
Comment 1 Bruce Sass 2012-07-20 05:22:39 CDT 
(In reply to comment #0)
> As an experiment I symlinked /etc/ssl/certs/ca-certificates.crt from Debian
> Testing in place of /opt/trinity/share/apps/kssl/ca-bundle.crt, and all the
> sites that used to give "unknown signing authority" warnings now validate
> perfectly.

Is there any reason not to do that in the packaging (by shipping a symlink instead of ca-bundle.crt)?
Comment 2 Timothy Pearson 2012-07-20 13:06:28 CDT 
(In reply to comment #1)
> (In reply to comment #0)
> > As an experiment I symlinked /etc/ssl/certs/ca-certificates.crt from Debian
> > Testing in place of /opt/trinity/share/apps/kssl/ca-bundle.crt, and all the
> > sites that used to give "unknown signing authority" warnings now validate
> > perfectly.
> 
> Is there any reason not to do that in the packaging (by shipping a symlink
> instead of ca-bundle.crt)?

Not that I am aware of.
Comment 3 Nick Leverton 2012-07-21 07:25:03 CDT 
Yup, that's what the Debian KDE team have done.  I haven't had time to review the attached patch and update to TDE but it is a pretty simple packaging change.
Comment 4 Timothy Pearson 2013-07-24 12:12:33 CDT 
Fixed in GIT hash 82fe514 (tde-packaging).

Thanks for reporting, and for the suggested solution!