Bug 114797

Summary: After getting "The server certificate failed the authenticity test" message, press Continue and Forever, certificate not saved
Product: [Unmaintained] kio Reporter: Earl Ruby <eruby>
Component: generalAssignee: David Faure <faure>
Status: RESOLVED DUPLICATE    
Severity: normal CC: adawit, ahartmetz, jux, linux, mcguire, spammail01, Tanktalus
Priority: NOR    
Version: 4.1   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Earl Ruby 2005-10-21 05:51:30 UTC
Version:           1.8 (using KDE 3.4.0 Level "b" , SUSE 9.3)
Compiler:          gcc version 3.3.5 20050117 (prerelease) (SUSE Linux)
OS:                Linux (i686) release 2.6.11.4-21.9-smp

I have reviewed the other bugs that are similar to this one but they are not quite the same. Most of them also seem to have been resolved about two years ago.

This just started happening to me a few days ago. I am using self-signed certificates and SuSE 9.3 with the latest updates. Everything was working fine until I accidentally shut down KDE Wallet while KMail was open. On the next mail check, KMail "forgot" all of my passwords.

After restarting KDE Wallet and re-entering my passwords KMail now shows "The server certificate failed the authenticity test" message every time it connects to my mail servers. I press Continue and Forever, but the certificates are not saved.

# rpm -qa | grep ssl
openssl-devel-0.9.7e-3
perl-ldap-ssl-0.29-137
openssl-0.9.7e-3.2
docbook-dsssl-stylesheets-1.79-3
openssl-doc-0.9.7e-3
Comment 1 Rocco Stanzione 2006-08-25 05:38:52 UTC
I can confirm this, exactly as described, on Ubuntu Dapper with KDE 3.5.4 packages.
Comment 2 Rocco Stanzione 2006-09-10 00:33:48 UTC
This seems to be a kwalletmanager problem.  The symptoms went away for a while, and when they returned I noticed that kwalletmanager had no open wallets, and I could not create a new one (file->new wallet does nothing).
Comment 3 Rocco Stanzione 2006-09-12 07:25:59 UTC
Found the cause.  kded is not running.  if I start it manually, everything starts behaving normally.  kwallet should probably complain when this happens.  I see a line of code there to do it (around line 350 in kwalletmanager.cpp) but it's commented out.  Google tells me that line's been that way for a year or so, waiting for someone to say it's ok to uncomment it, since it requires a new i18n.  I'd still like to figure out why kded crashes, and I would also love it if kmail would complain that it's failing to save what it acts like it's saving.  Not sure whether to leave this as kdepim, or to reassign to kdeutils for kwallet.
Comment 4 Tommi Tervo 2006-09-12 10:01:41 UTC
Message unfreeze is still open (1). I added George to CC, he's the kwallet(manager) maintainer.
(1) http://lists.kde.org/?l=kde-core-devel&m=115502806824435&w=2
Comment 5 stephan beal 2006-09-18 19:28:06 UTC
i am also seeing this problem, and kded *is* running.

KMail 1.9.1 under KDE 3.5.1 (Suse Linux 10.1). Unfortunately, i am not able to upgrade this box to see if a newer version fixes this problem.


~/ # ps -ef | grep kded
simone    5618     1  0 Sep14 ?        00:00:03 kded [kdeinit]
stephan  10316     1  0 Sep14 ?        00:00:50 kded [kdeinit]

i get this error not every time i send a mail via an SSL smtp server, but about 1/2 the time.
Comment 6 Darin McBride 2009-01-04 15:13:49 UTC
I'm getting this problem with kde 4.1.87, kded is running, and I'm connecting to my web provider over SSL (I don't have my own IP address, so I'm sure the certificate isn't going to be "valid" anyway).  I try to select "forever", but next time I log in to KDE (e.g., after upgrading to a newer snapshot, or rebooting), it forgets this, and I have to tell it to accept it again.
Comment 7 Thomas McGuire 2009-01-04 16:18:55 UTC
Reassigning to KIO, this is a KIO/kdelibs bug.
Comment 8 Juergen Mathwich 2009-02-07 11:26:57 UTC
I can confirm this bug in Version 4.2.00 (KDE 4.2.0) "release 88.2" (OpenSuSE 11.1 - KDE Factory). 
It happens with 1 (of 3 in total) SSL IMAP Accounts using valid CaCert certificates. There is nothing special with the one account that forgets the "forever"-setting - so it seems to be a little weird.
Comment 9 Dave Silvester 2009-10-06 10:44:13 UTC
Same thing is happening here to me, as of a few days ago, running Kmail 1.12.1, KDE Wallet Manager 1.4 and KDE 4.3.1 on Sidux.

Seems to happen every time it checks my mail, on certain (but not all) of the servers I'm connecting to using POP3 + SSL, on mail servers where the hostname I'm connecting to is different to that of the SSL certificate. (My own hostnames using the certificate for the hosting company's email servers.)

When I click "Forever" in response to "Would you like to accept this certificate forever without being prompted?", it does not remember that I've done so, and asks me every single time it checks my mail on these servers.

It does not do it for all the servers I connect to in this way - yet as far as I know (and can verify), all of them point to the exact same hostname, and should this behave the same.

kded4 is running, and I have also run "kded4 --check" just to make sure, which returns with no errors.

"kded4 -v" returns:
Qt: 4.5.2
KDE: 4.3.1 (KDE 4.3.1)
KDE Daemon: $Id: kded.cpp 944898 2009-03-26 13:01:25Z dfaure $

KDE Wallet is running, and my main wallet appears to be open with no problem.

I also tried removing (renaming) ~/.kde/share/config/ksslcertificatemanager and it was recreated automatically, very soon afterwards, with contents as expected, eg. the hostnames I am connecting to and exceptions to be applied to them.

However, for the servers that I am repeatedly having to click "Forever" on, the lines in ~/.kde/share/config/ksslcertificatemanager appear to have incorrect/missing exception rules for them, while the others do not.

For example, the lines end:

,HostNameMismatch,SelfSignedCertificate

when they should end:

,HostNameMismatch,InvalidCertificateAuthority,UntrustedCertificate,CertificateSignatureFailed

I have tried manually editing this file (with everything closed) but presumably it fails some kind of integrity checking upon reopening, and is rewritten with the same omissions to the rules as before.

I haven't finished experimenting with it yet - will post again if I find out more.
Comment 10 Dave Silvester 2009-10-06 15:10:40 UTC
See comment #9 above for an initial description of my problems.

There was one incorrect detail in my posting above - my apologies for this. I stated that I was using "POP3 + SSL" when in actual fact, I was using POP3 + TLS for the secure connection.

I have now switched to using SSL on port 995, and the problem appears to have vanished. After one more prompting and me selecting "Forever", I am not prompted again - so far at least!

I'm still not entirely sure why this is, but it may be a significant detail that this only seems to happen when using TLS for the connection?

Furthermore, upon checking the contents of ~/.kde/share/config/ksslcertificatemanager (which I tried removing again, to see what it would be recreated with) after making this change to using SSL, I note that all the server entry lines now have the expected rules as follows:

HostNameMismatch,InvalidCertificateAuthority,UntrustedCertificate,CertificateSignatureFailed

One interesting side point: it seems one server line I expected to be in this file (exact same setup as the others, both server and Kmail) is not present, and is not prompting me in any way. This is the server associated with my default Kmail identity. Strange.

So it seems I've found a workaround for me - and in terms of security of connection, as far as I know, SSL and TLS are considered "equivalent".

A hypothesis: perhaps whatever library it is which makes the connection over TLS is sometimes re-writing the lines in the ksslcertificatemanager file with different exception rules? I observed something a little like this happening while having the file open in Kate and repeatedly checking my email and clicking "Forever" - lines would change and then be changed back again almost straight away afterwards.

Are there two libraries writing to the same file?  Or two different parts of the same library? Just a guess - I haven't done any real programming for quite some time!
Comment 11 Thomas McGuire 2009-10-09 13:34:27 UTC
Adding Andreas to the CC list.
Comment 12 Mohammed El-Beltagy 2010-03-15 16:06:20 UTC
Same problem on Kubuntu Jaunty running kmail 1.11.2. I also tried the fix in comment #10 and still it did not work for me.
Comment 13 Dawit Alemayehu 2012-05-15 20:22:44 UTC

*** This bug has been marked as a duplicate of bug 233628 ***