[Bug 758431] New: Midori does not display whether SSL certificates are valid
https://bugzilla.novell.com/show_bug.cgi?id=758431 https://bugzilla.novell.com/show_bug.cgi?id=758431#c0 Summary: Midori does not display whether SSL certificates are valid Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: Other OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: Xfce AssignedTo: bnc-team-xfce@forge.provo.novell.com ReportedBy: gber@opensuse.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Midori before version 0.4.2 does not display whether SSL certificates are valid because it lacks a dependency on the ca-cartificates package and does not set the openSUSE specific path to the certificate bundle file. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c
Guido Berhörster
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c1
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c2
--- Comment #2 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c3
--- Comment #3 from Guido Berhörster
Worst of all, it still displays the address bar as being secure. it must not do that if it doesn't actually do any verification.
I'm not sure any more whether this problem is actually caused by Midori. This happens only with 0.3.0 in openSUSE 11.4 and looking at the corresponding code there is a check in webkit_web_view_load_committed_cb() whether the certificate is trusted or not: WebKitWebDataSource *source; WebKitNetworkRequest *request; SoupMessage *message; source = webkit_web_frame_get_data_source (web_frame); request = webkit_web_data_source_get_request (source); message = webkit_network_request_get_message (request); if (message && soup_message_get_flags (message) & SOUP_MESSAGE_CERTIFICATE_TRUSTED) view->security = MIDORI_SECURITY_TRUSTED; else #endif view->security = MIDORI_SECURITY_UNKNOWN; (see http://git.xfce.org/apps/midori/tree/midori/midori-view.c?id=0.3.0#n1020) When tracing that with gdb soup_message_get_flags (message) seems to return a random value. Now the above code has not changed at all in Midori 0.4.1 in openSUSE 12.1 but soup_message_get_flags (message) returns a valid value causing Midori to correctly mark the certificate as untrusted. Somebody familiar with libsoup should probably look at this to see whether Midori or libsoup 2.32.2 is at fault here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c4
--- Comment #4 from Guido Berhörster
I think you should to set "ssl-use-system-ca-file" and "ssl-strict" instead of adding bundle files.
No, ssl-use-system-ca-file was introduced with libsoup 2.38 whereas oS 11.4 has 2.32.1 and 12.1 has 2.36.1. ssl-strict makes no sense, the browser needs to handle certificate validity itself. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c
Guido Berhörster
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c5
--- Comment #5 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c6
Guido Berhörster
if the version in 11.3 cannot be fixed to correctly display the trusted flag it should display untrusted always.
I don't see anything outright wrong with the code in midori. I just built midori 0.3.0 for 12.1 and checked there with gdb, soup_message_get_flags() always returns a correct value of 0 when the certificate bundle cannot be found, i.e. SOUP_MESSAGE_CERTIFICATE_TRUSTED is not set. I think one of the gnome maintainers should look into this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c7
--- Comment #7 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c8
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c9
--- Comment #9 from Guido Berhörster
I suggest to look at the epiphany code.
For reference, in 11.3, 11.4 and 12.1, we pass --with-ca-file=%{_sysconfdir}/ssl/ca-bundle.pem to epiphany. So epiphany was doing something with the ca file (look for GTLS_SYSTEM_CA_FILE in embed/ephy-embed.c and embed/ephy-embed-single.c -- it seems it's setting the ssl-ca-file property of the libsoup session object).
Midori has equivalent code for setting ssl-ca-file but checks for the file at runtime. The problem is that when it does not set the ssl-ca-file property because no bundle file is installed, soup_message_get_flags() from libsoup 2.32.2 in 11.4 returns a random number. A random number >= 32 means that the SOUP_MESSAGE_CERTIFICATE_TRUSTED is set, indicating a valid certificate while it actually has not been verified. With the later libsoup versions in 12.1 and Factory soup_message_get_flags() correctly returns 0, ie. the above flag not set as it should when it cannot verify its validity.
In 11.2, we had epiphany-https-unknown-security.patch with was forcing the use of EPHY_WEB_VIEW_STATE_IS_UNKNOWN all the time.
I can surely create such a patch specifically for midori in 11.4 treating all certificates as unverified, however since this seems like a libsoup bug it might affect other consumers? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c10
--- Comment #10 from Guido Berhörster
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c12
--- Comment #12 from Guido Berhörster
2.32.2 in 11.4 returns a random number. A random number >= 32 means that the SOUP_MESSAGE_CERTIFICATE_TRUSTED is set, indicating a valid certificate while
Hrm, that should of course read "A number with the 5th bit (SOUP_MESSAGE_CERTIFICATE_TRUSTED) set indicates a valid certificate..." Looking at the libsoup code it seems that when starting a SSL connection soup-socket.c:soup_socket_start_proxy_ssl() trusts certificates by default and relies on soup-socket.c:soup_socket_write()/read_from_network() receiving a SOUP_SSL_ERROR_CERTIFICATE to mark the certificate untrusted. However, that never happens when a CA certificate bundle has not been passed in because soup-gnutls.c:do_handshake() then does not do any verification by calling soup-gnutls.c:verify_certificate() which can raise a SOUP_SSL_ERROR_CERTIFICATE. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c13
--- Comment #13 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c14
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c15
--- Comment #15 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c16
--- Comment #16 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c17
--- Comment #17 from Vincent Untz
ca-certificates is installed by default but libsoup was not configured to use the correct ca file. To catch such errors it must behave fail-close.
I'm not sure what you mean here. My reading of the code is that if the specified ca file doesn't exist, gnutls will handle this gracefully: status = gnutls_certificate_set_x509_trust_file ( creds->creds, ca_file, GNUTLS_X509_FMT_PEM); if (status < 0) { g_warning ("Failed to set SSL trust file (%s).", ca_file); /* Since we set have_ca_file though, this just * means that no certs will validate, so we're * ok securitywise if we just return these * creds to the caller. */ } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c18
--- Comment #18 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c19
--- Comment #19 from Vincent Untz
Created an attachment (id=487674) --> (http://bugzilla.novell.com/attachment.cgi?id=487674) [details] patch
patch enable certificate verification even if no ca-file is used.
I think my patch in home:vuntz:11.4-testing is a better approach -- if there's no ca file, there's no need to even try to validate the certificate. We just always error out. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c20
--- Comment #20 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c21
--- Comment #21 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c22
--- Comment #22 from Guido Berhörster
Now that OBS finally published the packages... This seems to work fine, but I found that epiphany is using the strict ssl mode when the ca file doesn't exist: it won't even try to load the page. So patching epiphany for this in home:vuntz:11.4-testing.
Guido, can you try the libsoup package?
Same issue with midori apparently, I need to patch it as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c23
--- Comment #23 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c24
--- Comment #24 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c25
--- Comment #25 from Guido Berhörster
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c26
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c27
--- Comment #27 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c28
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c29
--- Comment #29 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c30
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c31
--- Comment #31 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c32
--- Comment #32 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c33
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c34
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c35
--- Comment #35 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c36
--- Comment #36 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c37
--- Comment #37 from Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c38
--- Comment #38 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.novell.com/show_bug.cgi?id=758431#c39
--- Comment #39 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com