Bug 64947 - kssl stores exactly ONE certificate
Summary: kssl stores exactly ONE certificate
Status: RESOLVED FIXED
Alias: None
Product: kio
Classification: Frameworks and Libraries
Component: kssl (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR normal
Target Milestone: ---
Assignee: George Staikos
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-25 23:51 UTC by Oliver Bausinger
Modified: 2003-09-28 00:08 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:


Attachments
kssld.cpp.diff (583 bytes, text/x-diff)
2003-09-27 18:19 UTC, Oliver Bausinger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Bausinger 2003-09-25 23:51:39 UTC
Version:            (using KDE Devel)
Installed from:    Compiled sources
Compiler:          gcc (GCC) 3.3.2 20030908 
OS:          Linux

This is with CVS of Sep 24 2003. 

KSSL stores exactly one certificate. That means I always have exactly one entry in 
"Peer SSL Certificates" (and in .../config/ksslpolicies) that gets overwritten when the 
next one is encountered. 
(For example, I have configured in IMAP SSL and POP SSL connection in Kmail.
When checking both, always the next one is forgotten).
Furthermore, when importing my .../config/kssl*, all older peer ssl certificates get lost 
after a new gets cached.

Please ask if you need more information or testing.
Comment 1 George Staikos 2003-09-26 07:21:35 UTC
This is not typical behaviour for virtually all other users.  I have never 
encountered this problem and I use SSL heavily in KDE.  Do you have 
certificates that have identical CNs?  If so, then this is not supported.  You 
can't issue two certificates that are identical in all forms except for the 
key pair.  (at least you can't if you expect it to work with KDE's policy 
caching) 
 
What do you mean by "importing my .../config/kssl*"?  If you mean you copied a 
new config file in, well, yes it will be lost because you did not load them 
into the cache that was running, so it overwrote it. 
Comment 2 Oliver Bausinger 2003-09-26 10:57:14 UTC
Subject: Re:  kssl stores exactly ONE certificate

On Friday 26 September 2003 07:21, you wrote:

> ------- Additional Comments From staikos@kde.org  2003-09-26 07:21 -------
> This is not typical behaviour for virtually all other users.  I have never
> encountered this problem and I use SSL heavily in KDE.  Do you have
> certificates that have identical CNs?  If so, then this is not supported. 
> You can't issue two certificates that are identical in all forms except for
> the key pair.  (at least you can't if you expect it to work with KDE's
> policy caching)

OK. Thanks to your hints I have nailed it down to two certificates always 
replacing each other. 
They have the same CN but are still different. Here's the output after
calling the pop3s

bausi@camino:~/.kde-head/share/config$ cat ksslpolicies  | grep "C="
[/C=DE/ST=Germany/L=Tuebingen/O=Mathematisches Institut/
OU=Automatically-generated POP3 SSL key/
CN=everest.mathematik.uni-tuebingen.de/
emailAddress=admin@everest.mathematik.uni-tuebingen.de]

and imaps ioslave from konqueror:

bausi@camino:~/.kde-head/share/config$ cat ksslpolicies  | grep "C="
[/C=DE/ST=Germany/L=Baden-Wuerttemberg/O=Universitaet Tuebingen/OU=IMAP SSL 
key for everest/CN=everest.mathematik.uni-tuebingen.de/
emailAddress=admin@everest.mathematik.uni-tuebingen.de]

They replace each other. 

If you need the complete certificates, please ask. This definitely work with 
3.1 series.

> What do you mean by "importing my .../config/kssl*"?  If you mean you
> copied a new config file in, well, yes it will be lost because you did not
> load them into the cache that was running, so it overwrote it.

Yes. Ignore this. This couldn't work.
Comment 3 George Staikos 2003-09-26 16:31:03 UTC
Subject: Re:  kssl stores exactly ONE certificate

On Friday 26 September 2003 04:57, you wrote:
> > ------- This is not typical behaviour for virtually all other users.  I
> > have never encountered this problem and I use SSL heavily in KDE.  Do you
> > have certificates that have identical CNs?  If so, then this is not
> > supported. You can't issue two certificates that are identical in all
> > forms except for the key pair.  (at least you can't if you expect it to
> > work with KDE's policy caching)
>
> OK. Thanks to your hints I have nailed it down to two certificates always
> replacing each other.
> They have the same CN but are still different. Here's the output after
> calling the pop3s
>
> bausi@camino:~/.kde-head/share/config$ cat ksslpolicies  | grep "C="
> [/C=DE/ST=Germany/L=Tuebingen/O=Mathematisches Institut/
> OU=Automatically-generated POP3 SSL key/
> CN=everest.mathematik.uni-tuebingen.de/
> emailAddress=admin@everest.mathematik.uni-tuebingen.de]
>
> and imaps ioslave from konqueror:
>
> bausi@camino:~/.kde-head/share/config$ cat ksslpolicies  | grep "C="
> [/C=DE/ST=Germany/L=Baden-Wuerttemberg/O=Universitaet Tuebingen/OU=IMAP SSL
> key for everest/CN=everest.mathematik.uni-tuebingen.de/
> emailAddress=admin@everest.mathematik.uni-tuebingen.de]

   These should not replace eachother IIRC.  They are supposed to be indexed 
by CN.  I don't recall having changed this code since 3.0 or earlier so I'm 
not sure what's wrong.  Have you changed OpenSSL versions?

Comment 4 Oliver Bausinger 2003-09-26 16:50:51 UTC
Subject: Re:  kssl stores exactly ONE certificate

On Friday 26 September 2003 16:31, you wrote:
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.
>
> http://bugs.kde.org/show_bug.cgi?id=64947
>
>
>
>
> ------- Additional Comments From staikos@kde.org  2003-09-26 16:31 -------
> Subject: Re:  kssl stores exactly ONE certificate
>
> On Friday 26 September 2003 04:57, you wrote:
> > > ------- This is not typical behaviour for virtually all other users.  I
> > > have never encountered this problem and I use SSL heavily in KDE.  Do
> > > you have certificates that have identical CNs?  If so, then this is not
> > > supported. You can't issue two certificates that are identical in all
> > > forms except for the key pair.  (at least you can't if you expect it to
> > > work with KDE's policy caching)
> >
> > OK. Thanks to your hints I have nailed it down to two certificates always
> > replacing each other.
> > They have the same CN but are still different. Here's the output after
> > calling the pop3s
> >
> > bausi@camino:~/.kde-head/share/config$ cat ksslpolicies  | grep "C="
> > [/C=DE/ST=Germany/L=Tuebingen/O=Mathematisches Institut/
> > OU=Automatically-generated POP3 SSL key/
> > CN=everest.mathematik.uni-tuebingen.de/
> > emailAddress=admin@everest.mathematik.uni-tuebingen.de]
> >
> > and imaps ioslave from konqueror:
> >
> > bausi@camino:~/.kde-head/share/config$ cat ksslpolicies  | grep "C="
> > [/C=DE/ST=Germany/L=Baden-Wuerttemberg/O=Universitaet Tuebingen/OU=IMAP
> > SSL key for everest/CN=everest.mathematik.uni-tuebingen.de/
> > emailAddress=admin@everest.mathematik.uni-tuebingen.de]
>
>    These should not replace eachother IIRC.  They are supposed to be
> indexed by CN.  I don't recall having changed this code since 3.0 or
> earlier so I'm not sure what's wrong.  Have you changed OpenSSL versions?

My Debian KDE 3.1 packages and my self compiled HEAD both use:

bausi@camino:~$ apt-cache show openssl | grep Version
Version: 0.9.7b-2

And I have no other openssl version on my system.
No clue. Tried it yourself imaps://everest... and pop3s://everest... ?
Comment 5 Oliver Bausinger 2003-09-27 18:19:33 UTC
Subject: Re:  kssl stores exactly ONE certificate

Gotcha!

I think I found a workaround. The attached patch to kssld.cpp fixes it for me 
(both certificates can coexist).

It seems that KSSL believes that the next certificate is a newer version of 
the other one and therefore replaces it  (because both have the same CN), see 
revision 1.20 of kssld.cpp.

Surprisingly, the same code is existant in KDE_3_1_BRANCH but does not cause 
the problem there (I tested). So something went wrong with the forward 
porting.



Created an attachment (id=2595)
kssld.cpp.diff
Comment 6 George Staikos 2003-09-27 22:53:35 UTC
This patch is of course wrong, but I could change it to use the subject instead of the 
CN I think.  The real problem, perhaps, is that you have two identities for the same 
IP which is not the way things are supposed to work (AFAIK).  There is no need to 
have a different certificate for each port on the same machine. 
Comment 7 George Staikos 2003-09-28 00:08:15 UTC
Subject: kdelibs/kio/misc/kssld

CVS commit by staikos: 

Add workaround for annoying server configuration, perhaps against my better
judgement.  I doubt I will make many more changes than this one for this type
of setup.

CCMAIL: 64947-done@bugs.kde.org


  M +21 -1     kssld.cpp   1.23
  M +1 -0      kssld.h   1.12


--- kdelibs/kio/misc/kssld/kssld.cpp  #1.22:1.23
@@ -236,5 +236,5 @@ KSSLCNode *node;
         n->permanent = permanent;
         // remove the old one
-        cacheRemoveByCN(KSSLX509Map(n->cert->getSubject()).getValue("CN"));
+        cacheRemoveBySubject(n->cert->getSubject());
         certList.prepend(n); 
 
@@ -368,4 +368,24 @@ KSSLCNode *node;
 
 return false;
+}
+
+
+bool KSSLD::cacheRemoveBySubject(QString subject) {
+KSSLCNode *node;
+bool gotOne = false;
+
+        for (node = certList.first(); node; node = certList.next()) {
+                if (node->cert->getSubject() == subject) {
+                        certList.remove(node);
+                        cfg->deleteGroup(node->cert->getSubject());
+                        searchRemoveCert(node->cert);
+                        delete node;
+                        gotOne = true;
+                }
+        }
+
+        cacheSaveToDisk();
+
+return gotOne;
 }
 

--- kdelibs/kio/misc/kssld/kssld.h  #1.11:1.12
@@ -63,4 +63,5 @@ k_dcop:
 
   bool cacheRemoveByCN(QString cn);
+  bool cacheRemoveBySubject(QString subject);
   bool cacheRemoveByCertificate(KSSLCertificate cert);
                


Comment 8 Oliver Bausinger 2003-09-28 12:20:08 UTC
Subject: Re:  kssl stores exactly ONE certificate

i'm sorry I didn't mean to annoy you :-). Thanks anyway for the patch because
it fixes a regression from 3.1. 
And I don't think that this server setup is so strange. Having a pop and imap 
server on the same machine is not so uncommon. And as different servers can 
be considered different entities it's not insane to issue different 
certificates for them. (For example, when installing the courier suite it 
issues different certs for pop, imap and stmp).
But now I stop wasting your time :-) Thanks again.