Bug 163133

Summary: SSL Certificate signed by a trusted intermediate CA not recognized
Product: [Unmaintained] kio Reporter: Michael Tänzer <neo>
Component: ksslAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: normal CC: neo
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Michael Tänzer 2008-06-03 15:16:21 UTC 
Version:            (using KDE 3.5.9)
Installed from:    Ubuntu Packages
OS:                Linux

I have a server cert from http://www.cacert.org which is not signed by the root CA but a intermediate CA (Class 3 CA) from CAcert and this Class3 CA is signed by the root CA.
CAcert signs certs of everyone with it's root CA but only people who have been properly tested get a cert signed by the Class3 CA. So the idea is basically, that if you trust all people signed by CAcert then you import the root CA into your browser (certs signed by Class3 are automatically trusted as it's signed by the root CA) and if you want to trust only people which have been tested more thoroughly, then you import only the class3 CA.

When I import the Class3 CA into Konqueror it tells me that my site is not properly signed.
If I also import the root CA it works.

The Class3 cert has the CA flag set to true and it works in Firefox3, FF2 (only tested on Windows) and Epiphany, so I assume all gecko based browsers. Opera9 and IE7 however show the same behaviour as Konqueror (Safari uses the OS infrastructure and therefore behaves like IE7 (I don't have a Mac to try it there)).

How to Reproduce:
Go to http://www.cacert.org -> Root Certificate
In section "Class 3 PKI Key" choose "Intermediate Certificate (PEM Format)" and import it into your browser.
Go to https://nhng.dyndns.org there should be the apache default site "It works!" but a warning pops up.
If the "Root Certificate (PEM Format)" from CAcert is imported too, no warning is shown.

Expected Behaviour:
The cert should also be valid if only the Class3 cert has been imported.
If any cert on the path from the server we want to connect to and the root of the certificate tree is trusted, and the signing path from the trusted node to the server cert is valid, then the server cert should be considered as valid.

I use Konqueror 3.5.9 from the Ubuntu-Repositories
Comment 1 Michael Tänzer 2010-03-30 03:47:09 UTC 
Hi,

Unfortunately there has been no action on this bug. In the meantime my server has changed the URL it is now https://nhng.de (yay, own domain). I tried to verify whether this bug is still present in the current version of Konqueror/KDE but I found out that there's currently no easy way to import certificates in KDE4 (current == Ubuntu 9.10 == KDE 4.3.5).
Comment 2 Andrew Crouthamel 2018-11-02 23:05:14 UTC 
Dear Bug Submitter,

This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond.

Thank you for helping us make KDE software even better for everyone!
Comment 3 Andrew Crouthamel 2018-11-16 05:38:57 UTC 
Dear Bug Submitter,

This is a reminder that this bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version?

Thank you for helping us make KDE software even better for everyone!
Comment 4 Justin Zobel 2022-12-13 02:53:58 UTC 
Thank you for reporting this issue in KDE software. As it was reported on an older version, can we please ask you to see if you cazn reproduce the issue with a more recent software version?  
  
If you can confirm this issue still exists in a recent version, please change the version field and the status to "REPORTED" when replying. Thank you!
Comment 5 Bug Janitor Service 2022-12-28 05:23:27 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 6 Bug Janitor Service 2023-01-12 05:16:26 UTC 
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!