Ubuntu
kdebase-runtime package

konqueror/crypto manager lose trusted certificates

Bug #286936 reported by Matthias Andree
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
KDE Base
Unknown
Unknown
kdebase-runtime (Ubuntu)
New
Undecided
Unassigned
Nominated for Intrepid by Matthias Andree

Bug Description

Binary package hint: kdebase-runtime

Note this is a showstopper bug for Intrepid Ibex

kdebase-runtime 4:4.1.2-0ubuntu6.

I cannot import root certificates with the Crypto manager if I choose "SSL signers" . No matter if I use Konqueror or "kcmshell4 crypto", the crypto manager displays just common name, but no details when I click on the certificate besides the MD5 sum. The Crypt Manager doesn't save the certificate.

Consequence: Konqueror cannot connect to HTTPS:// sites and complains about a self-signed root cert. (While I could theoretically override that and continue nonetheless, I'm not doing that since it defeats detection of MITM attack.)

Here's the cert in question, it works perfectly with openssl and gnutls-cli:

$ cat /etc/ssl/certs/deutsche-telekom-root-ca-2.pem
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc
MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj
IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB
IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl
U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290
IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU
ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC
QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr
rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S
NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc
QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH
txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP
BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp
tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa
IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl
6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+
xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU
Cm26OWMohpLzGITY+9HPBVZkVw==
-----END CERTIFICATE-----

And here's the text dump (shortened a bit)
$ openssl x509 -text -noout -in /etc/ssl/certs/deutsche-telekom-root-ca-2.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 38 (0x26)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2
        Validity
            Not Before: Jul 9 12:11:00 1999 GMT
            Not After : Jul 9 23:59:00 2019 GMT
        Subject: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ab:0b:a3:35:e0:8b:29:14:b1:14:85:af:3c:10:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                31:C3:79:1B:BA:F5:53:D7:17:E0:89:7A:2D:17:6C:0A:B3:2B:9D:33
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:5
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha1WithRSAEncryption
        94:64:59:ad:39:64:e7:29:eb:13:fe:5a:c3:8b:13:57:c8:04:
...

Revision history for this message
Matthias Andree (matthias-andree) wrote :

This may be related to https://bugs.kde.org/show_bug.cgi?id=162485 but is a showstopper for Kubuntu 8.10 nonetheless. 9 days left to fix ;-)

Bug Watch Updater (bug-watch-updater)
Changed in kdebase:
status: Unknown → Confirmed
Revision history for this message
Swâmi Petaramesh (swami-petaramesh) wrote :

Confirming. KDE 4.1 SSL certificates manager is completely broke in all aspects. Displays a dummy "ACME" personal certificate. Cannot import my real personal cert. Cannot import C.A. certificates whatsoever. Does nothing when you supposed it dit, or freezes, or segfaults :-((

Now I cannot send e-mail as I used to, as my SMTP server requests KMail to present my SSL cert, which worked perfectly in KDE 3.x and is totally broke in 4.1.

Solving this bug is of extremely high priority for me.

Revision history for this message
Kurt Huwig (k-huwig) wrote :

Confirming. This does not work with the certificates from CACert.org:

http://www.cacert.org/index.php?id=3

I can import them, but if I close and reopen Konqueror's settings, they are gone.

Bug Watch Updater (bug-watch-updater)
Changed in kdebase:
status: Confirmed → Unknown
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.