Version: (using KDE KDE 3.3.2) Installed from: Debian testing/unstable Packages Compiler: gcc-3.3 Konqueror is a pre-built debian package, I didn't compile it myself. OS: Linux After disabling the "Accept for site/email/code signing" settings for all listed SSL signers, konqueror still allows encrypted connections to SSL sites without any warnings. I would expect it to honour the settings and warn that a cert cannot be verified. To duplicate: - In the Crypto config, remove all certs from "Peer SSL Certificates" - In the "SSL Signers" tab, go through each listed signer and deselect all of the "Accept for site/email/code signing" settings. - Go to https://www.verisign.com/ (or any other SSL site that isn't self-signed) The cert will be accepted and the site loaded without warnings. The cert will be added to the "Peer SSL Certificates" tab, and clicking the Verify button gets a "The certificate passed the verification tests successfully" message. Doing the same in mozilla results in a warning that the certificate could not be verified. This fault has existed for a while. I think I submitted a similar bug about 12 months ago, but can't find any record of it now.
Are you -sure-? Try waiting for a minute or two or even shutting down all konquerors, killing all kio_http processes, and then starting up a new konqueror after you change the settings. I'm pretty sure this works...
Hi George. I have all of the signers permanently disabled, so it's not that I've just disabled them. I'm now using the Debian package "konqueror 4:3.3.2-1sarge1" from Debian Stable. I rechecked it tonight: I run konqueror and check that every signer is deselected for all modes (site,mail,code) (they are). Then I go into the "Peer SSL Certificates" tab and remove any that are there. This list is now totally empty. I save the settings and exit konqueror. Then I kill all konqueror and kio_http processes. I run konqueror again and check that the Peer SSL list is empty (it is). I then go to https://sxip.org/. This is a URL I just picked at random from a Google search, and I have never been to it before as far as I know. Konqueror opens the site with no warnings. When I go into the crypto config, I find that I have two new entries in the Peer SSL List. One for sxip.org and another for ssl.google-analytics.com. Clicking on the sxip.org cert and validating it gets the message that the cert is valid. In firefox: When I try the same in firefox, which also has all the signers permanently disabled, I get a message "Web site certified by an Unknown Authority". When I click "Examine Certificate" there is a message at the top "Could not verify this certificate because the issuer is not trusted". I'd expect this same behaviour from Konqueror. Please let me know if you need me to check anything else. Thanks.
Created attachment 13605 [details] Possible patch Does this patch fix it? If so, I think a regression was introduced in kdecore.
Do you have a ~/.kde/share/apps/kssl/ directory? And if so, can you do ls -l in there?
Sorry for the delay. I tried to compile to check the patch but had a build error and haven't had a chance to look at it. The directory listing is as follows. Just an empty file: sh-2.05b$ pwd /home/darryll/.kde/share/apps/kssl sh-2.05b$ ls -l total 0 -rw-r----- 1 darryll darryll 0 2005-11-05 15:21 ca-bundle.crt
On Wednesday 30 November 2005 07:53, Darryl Luff wrote: > ------- Sorry for the delay. I tried to compile to check the patch but had > a build error and haven't had a chance to look at it. The directory listing > is as follows. Just an empty file: > > sh-2.05b$ pwd > /home/darryll/.kde/share/apps/kssl > sh-2.05b$ ls -l > total 0 > -rw-r----- 1 darryll darryll 0 2005-11-05 15:21 ca-bundle.crt That's the problem. Are you out of disk space? There's something really broken there...
Plenty of disk space, and I can create files in that directory. I have two accounts on this machine, and both have the same empty file. As a test I created a brand new account, logged in, and ran konqueror. Deselected all of the certifiers etc, and looked in that directory: sh-2.05b$ pwd /home/testing/.kde/share/apps/kssl sh-2.05b$ id uid=10002(testing) gid=100(users) groups=100(users) sh-2.05b$ ls -l total 0 -rw-r--r-- 1 testing staff 0 2005-12-12 20:58 ca-bundle.crt sh-2.05b$ df -k . Filesystem 1K-blocks Used Available Use% Mounted on /dev/hda1 19534372 14422268 5112104 74% /
Is it NFS or some other filesystem than the typical ones? Failing all of that, I think the bug must be in KSaveFile anyway.
Hm no, it doesn't use KSaveFile. The only other option then is that QFile is failing, or that ksslcalist is empty. Do you have a ksslcalist in .kde/share/config and $KDEDIR/share/config?
No, it's just a standard local filesystem. reiserfs on an IDE drive. I have a ksslcalist in /etc/kde3, which starts: [/C=US/ST=DC/L=Washington/O=ABA.ECOM, INC./CN=ABA.ECOM Root CA/Email=admin@digsi gtrust.com] x509=MIIENjCCAx6gAwIB... (etc) site=true email=true code=false And each user has one in $HOME/.kde/share/config that starts: [/C=AT/ST=Austria/L=Vienna/O=Arge Daten Oesterreichische Gesellschaft fuer Daten schutz/Email=a-cert@argedaten.at] site=false [/C=BE/L=Brussels/O=BelSign NV/OU=BelSign Object Publishing Certificate Authorit y/CN=BelSign Object Publishing CA/Email=webmaster@belsign.be] code=false etc... The settings in the per-user file follow the settings in konqueror. When the konqueror settings agree with the global ksslcacert settings, the entry disappears from the per-user file, which seems logical I think.
Well this is just bizarre. You're the only one who reports this, I can't reproduce it, and it just doesn't make sense. The only thing you could do now is start editting KDE source code and adding debug statements in. Is that something you want to do?
I'll have a go. I've done that with components of KDE before, but last time I tried to build parts of KDE I got build failures. I probably have to set up a seperate development machine. Is there a doc somewhere that describes how it should work?
On Wednesday 28 December 2005 22:03, Darryl Luff wrote: > ------- I'll have a go. I've done that with components of KDE before, but > last time I tried to build parts of KDE I got build failures. I probably > have to set up a seperate development machine. > > Is there a doc somewhere that describes how it should work? You could read on http://developer.kde.org/ , but honestly, I think you have a localized problem and I'm not sure if it's worth the effort...
Thank you for the bug report. As this report hasn't seen any changes in 5 years or more, we ask if you can please confirm that the issue still persists. If this bug is no longer persisting or relevant please change the status to resolved.
I haven't used Konqueror for many years, so can't comment on whether the bug still exists. I guess not many people disable their SSL signers!