[Bug 873680] New: KDE uses outdated certificates
https://bugzilla.novell.com/show_bug.cgi?id=873680 https://bugzilla.novell.com/show_bug.cgi?id=873680#c0 Summary: KDE uses outdated certificates Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: KDE4 Workspace AssignedTo: kde-maintainers@suse.de ReportedBy: sweet_f_a@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 KDE3 and KDE4 are using their own cert bundles /usr/share/kde4/apps/kssl/ca-bundle.crt /opt/kde3/share/apps/kssl/ca-bundle.crt They are outdated, possible insecure and moreover KDE apps ignore other installed certificates like "ca-certificates-cacert" package or selfinstalled ones. I would be nice to use /etc/ssl/ca-bundle.pem in KDE too. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873680
https://bugzilla.novell.com/show_bug.cgi?id=873680#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=873680
https://bugzilla.novell.com/show_bug.cgi?id=873680#c2
Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=873680
https://bugzilla.novell.com/show_bug.cgi?id=873680#c3
--- Comment #3 from Ruediger Meier
@Ruediger, Can you let me know how you determined that these are the cert bundles that KDE4 is using ? Or is this based on the fact that these files are installed ?
Just our of curiosity and to see where the improvement should be done.
I was testing all this some months ago http://lists.opensuse.org/opensuse-factory/2013-07/msg00335.html Since then I am using symlinks to /etc/ssl/ca-bundle.pem on about 20 machines (mostly 11.4 and one 13.1) without any problems. I've opened this bug report just to have a reference for sr230195 sr230195 Since I think this is also a security hole I'd also like to submit against 13.1:Update. First waiting what Factory says. @Marcus I know that /etc/ssl/certs/ would be more nice. Somebody should push this upstream or evaluate whether it is already possible somehow. But IMO this KDE kssl/ca-bundle.crt is broken a few years too long already to wait any longer. Let's go with symlink right now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873680
https://bugzilla.novell.com/show_bug.cgi?id=873680#c4
--- Comment #4 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=873680
https://bugzilla.novell.com/show_bug.cgi?id=873680#c5
--- Comment #5 from Ruediger Meier
Rudi,
In your email, you are raising the issue that divers packages are installing certificates all over the place and that makes things harder to manage.
At this moment I don't think that symlinking files would actually resolve the issue that you are referring too.
Those both symlinks resolved my issues for kde3 and kde4 applications on openSUSE 11.4 and 12.3.
On my system I have deleted those certificates for KDE4 and the system is working fine. The SSL preferences in systemsettings (Configure Desktop) are showing the globally installed ones and therefore I am wondering if you found another way to see that the old certificates from KDE4 are being used, other than the fact that the files are there.
With KDE Frameworks, it seems that the old methodology is being replaced by a daemon and Frameworks does not install any certificates.
I've re-checked right now on 13.1. Looks like kde4 has learned to use global installed certs nowadays. This wasn't the case than I've tested last time.
So I put my question again to ask you if you found any other way (than the fact that the file is present) that KDE4 is indeed using the certificate file that is installed in /usr/share/kde4/apps/kssl ?
I've also tested this now again and it seems that KDE4 completely ignores /usr/share/kde4/apps/kssl/ca-bundle.crt now. KDE3 still uses only it's own /opt/kde3/share/apps/kssl/ca-bundle.crt So my suggestion KDE4: - remove the unused file /usr/share/kde4/apps/kssl/ca-bundle.crt (that's just cosmetics - just to be 110% sure that nobody uses these unmaintained certs) KDE3: - replace /opt/kde3/share/apps/kssl/ca-bundle.crt by symlink (that's a security fix and goes to 13.1 and Factory) I've updated sr230218 for KDE4. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873680
https://bugzilla.novell.com/show_bug.cgi?id=873680#c
Ruediger Meier
https://bugzilla.novell.com/show_bug.cgi?id=873680
https://bugzilla.novell.com/show_bug.cgi?id=873680#c6
--- Comment #6 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=873680
https://bugzilla.novell.com/show_bug.cgi?id=873680#c7
--- Comment #7 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com