Summary: | kssl stores exactly ONE certificate | ||
---|---|---|---|
Product: | [Frameworks and Libraries] kio | Reporter: | Oliver Bausinger <bausi> |
Component: | kssl | Assignee: | George Staikos <staikos> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Compiled Sources | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Attachments: | kssld.cpp.diff |
Description
Oliver Bausinger
2003-09-25 23:51:39 UTC
This is not typical behaviour for virtually all other users. I have never encountered this problem and I use SSL heavily in KDE. Do you have certificates that have identical CNs? If so, then this is not supported. You can't issue two certificates that are identical in all forms except for the key pair. (at least you can't if you expect it to work with KDE's policy caching) What do you mean by "importing my .../config/kssl*"? If you mean you copied a new config file in, well, yes it will be lost because you did not load them into the cache that was running, so it overwrote it. Subject: Re: kssl stores exactly ONE certificate On Friday 26 September 2003 07:21, you wrote: > ------- Additional Comments From staikos@kde.org 2003-09-26 07:21 ------- > This is not typical behaviour for virtually all other users. I have never > encountered this problem and I use SSL heavily in KDE. Do you have > certificates that have identical CNs? If so, then this is not supported. > You can't issue two certificates that are identical in all forms except for > the key pair. (at least you can't if you expect it to work with KDE's > policy caching) OK. Thanks to your hints I have nailed it down to two certificates always replacing each other. They have the same CN but are still different. Here's the output after calling the pop3s bausi@camino:~/.kde-head/share/config$ cat ksslpolicies | grep "C=" [/C=DE/ST=Germany/L=Tuebingen/O=Mathematisches Institut/ OU=Automatically-generated POP3 SSL key/ CN=everest.mathematik.uni-tuebingen.de/ emailAddress=admin@everest.mathematik.uni-tuebingen.de] and imaps ioslave from konqueror: bausi@camino:~/.kde-head/share/config$ cat ksslpolicies | grep "C=" [/C=DE/ST=Germany/L=Baden-Wuerttemberg/O=Universitaet Tuebingen/OU=IMAP SSL key for everest/CN=everest.mathematik.uni-tuebingen.de/ emailAddress=admin@everest.mathematik.uni-tuebingen.de] They replace each other. If you need the complete certificates, please ask. This definitely work with 3.1 series. > What do you mean by "importing my .../config/kssl*"? If you mean you > copied a new config file in, well, yes it will be lost because you did not > load them into the cache that was running, so it overwrote it. Yes. Ignore this. This couldn't work. Subject: Re: kssl stores exactly ONE certificate On Friday 26 September 2003 04:57, you wrote: > > ------- This is not typical behaviour for virtually all other users. I > > have never encountered this problem and I use SSL heavily in KDE. Do you > > have certificates that have identical CNs? If so, then this is not > > supported. You can't issue two certificates that are identical in all > > forms except for the key pair. (at least you can't if you expect it to > > work with KDE's policy caching) > > OK. Thanks to your hints I have nailed it down to two certificates always > replacing each other. > They have the same CN but are still different. Here's the output after > calling the pop3s > > bausi@camino:~/.kde-head/share/config$ cat ksslpolicies | grep "C=" > [/C=DE/ST=Germany/L=Tuebingen/O=Mathematisches Institut/ > OU=Automatically-generated POP3 SSL key/ > CN=everest.mathematik.uni-tuebingen.de/ > emailAddress=admin@everest.mathematik.uni-tuebingen.de] > > and imaps ioslave from konqueror: > > bausi@camino:~/.kde-head/share/config$ cat ksslpolicies | grep "C=" > [/C=DE/ST=Germany/L=Baden-Wuerttemberg/O=Universitaet Tuebingen/OU=IMAP SSL > key for everest/CN=everest.mathematik.uni-tuebingen.de/ > emailAddress=admin@everest.mathematik.uni-tuebingen.de] These should not replace eachother IIRC. They are supposed to be indexed by CN. I don't recall having changed this code since 3.0 or earlier so I'm not sure what's wrong. Have you changed OpenSSL versions? Subject: Re: kssl stores exactly ONE certificate On Friday 26 September 2003 16:31, you wrote: > ------- You are receiving this mail because: ------- > You reported the bug, or are watching the reporter. > > http://bugs.kde.org/show_bug.cgi?id=64947 > > > > > ------- Additional Comments From staikos@kde.org 2003-09-26 16:31 ------- > Subject: Re: kssl stores exactly ONE certificate > > On Friday 26 September 2003 04:57, you wrote: > > > ------- This is not typical behaviour for virtually all other users. I > > > have never encountered this problem and I use SSL heavily in KDE. Do > > > you have certificates that have identical CNs? If so, then this is not > > > supported. You can't issue two certificates that are identical in all > > > forms except for the key pair. (at least you can't if you expect it to > > > work with KDE's policy caching) > > > > OK. Thanks to your hints I have nailed it down to two certificates always > > replacing each other. > > They have the same CN but are still different. Here's the output after > > calling the pop3s > > > > bausi@camino:~/.kde-head/share/config$ cat ksslpolicies | grep "C=" > > [/C=DE/ST=Germany/L=Tuebingen/O=Mathematisches Institut/ > > OU=Automatically-generated POP3 SSL key/ > > CN=everest.mathematik.uni-tuebingen.de/ > > emailAddress=admin@everest.mathematik.uni-tuebingen.de] > > > > and imaps ioslave from konqueror: > > > > bausi@camino:~/.kde-head/share/config$ cat ksslpolicies | grep "C=" > > [/C=DE/ST=Germany/L=Baden-Wuerttemberg/O=Universitaet Tuebingen/OU=IMAP > > SSL key for everest/CN=everest.mathematik.uni-tuebingen.de/ > > emailAddress=admin@everest.mathematik.uni-tuebingen.de] > > These should not replace eachother IIRC. They are supposed to be > indexed by CN. I don't recall having changed this code since 3.0 or > earlier so I'm not sure what's wrong. Have you changed OpenSSL versions? My Debian KDE 3.1 packages and my self compiled HEAD both use: bausi@camino:~$ apt-cache show openssl | grep Version Version: 0.9.7b-2 And I have no other openssl version on my system. No clue. Tried it yourself imaps://everest... and pop3s://everest... ? Subject: Re: kssl stores exactly ONE certificate Gotcha! I think I found a workaround. The attached patch to kssld.cpp fixes it for me (both certificates can coexist). It seems that KSSL believes that the next certificate is a newer version of the other one and therefore replaces it (because both have the same CN), see revision 1.20 of kssld.cpp. Surprisingly, the same code is existant in KDE_3_1_BRANCH but does not cause the problem there (I tested). So something went wrong with the forward porting. Created an attachment (id=2595) kssld.cpp.diff This patch is of course wrong, but I could change it to use the subject instead of the CN I think. The real problem, perhaps, is that you have two identities for the same IP which is not the way things are supposed to work (AFAIK). There is no need to have a different certificate for each port on the same machine. Subject: kdelibs/kio/misc/kssld CVS commit by staikos: Add workaround for annoying server configuration, perhaps against my better judgement. I doubt I will make many more changes than this one for this type of setup. CCMAIL: 64947-done@bugs.kde.org M +21 -1 kssld.cpp 1.23 M +1 -0 kssld.h 1.12 --- kdelibs/kio/misc/kssld/kssld.cpp #1.22:1.23 @@ -236,5 +236,5 @@ KSSLCNode *node; n->permanent = permanent; // remove the old one - cacheRemoveByCN(KSSLX509Map(n->cert->getSubject()).getValue("CN")); + cacheRemoveBySubject(n->cert->getSubject()); certList.prepend(n); @@ -368,4 +368,24 @@ KSSLCNode *node; return false; +} + + +bool KSSLD::cacheRemoveBySubject(QString subject) { +KSSLCNode *node; +bool gotOne = false; + + for (node = certList.first(); node; node = certList.next()) { + if (node->cert->getSubject() == subject) { + certList.remove(node); + cfg->deleteGroup(node->cert->getSubject()); + searchRemoveCert(node->cert); + delete node; + gotOne = true; + } + } + + cacheSaveToDisk(); + +return gotOne; } --- kdelibs/kio/misc/kssld/kssld.h #1.11:1.12 @@ -63,4 +63,5 @@ k_dcop: bool cacheRemoveByCN(QString cn); + bool cacheRemoveBySubject(QString subject); bool cacheRemoveByCertificate(KSSLCertificate cert); Subject: Re: kssl stores exactly ONE certificate i'm sorry I didn't mean to annoy you :-). Thanks anyway for the patch because it fixes a regression from 3.1. And I don't think that this server setup is so strange. Having a pop and imap server on the same machine is not so uncommon. And as different servers can be considered different entities it's not insane to issue different certificates for them. (For example, when installing the courier suite it issues different certs for pop, imap and stmp). But now I stop wasting your time :-) Thanks again. |