Bug 306899

Summary: certificate from www.ziggo.nl is not automatically accepted (regression)
Product: [Frameworks and Libraries] kdelibs Reporter: Cor Blom <cornelis>
Component: generalAssignee: kdelibs bugs <kdelibs-bugs>
Status: RESOLVED UPSTREAM    
Severity: normal CC: amantia, kensington, stefan.bruens
Priority: NOR    
Version: 4.9.1   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
URL: http://www.ziggo.nl
Latest Commit: Version Fixed In:

Description Cor Blom 2012-09-16 20:56:32 UTC 
When I go to www.ziggo.nl with rekonq or konqueror (both khtml and webkit) I have to a long time and then get a dialogue window with the message that the certificate could not be validated (with the options details, continue or annuleren). This did not happen with kde 4.8.5, the site loaded without problems.

When I choose an option and continue to another site, certificates are not accepted automatically any more.

Reproducible: Always

Steps to Reproduce:
1. Start rekonq or konqueror
2. Go to www.ziggo.nl
3. 
Actual Results:  
A long time nothing happens, then the dialogue window with problem about certificate appears

Expected Results:  
Site loads without problems (as it did in 4.8.5)

This problem does not occur when I only update the qt4 libraries. I only occurs when I update kde to 4.9.1 (from 4.8.5).
Comment 1 Cor Blom 2012-09-25 08:27:38 UTC 
Started a discussion on opensuse-kde:

http://lists.opensuse.org/opensuse-kde/2012-09/msg00264.html

It is confirmed by others and it might be openSUSE 12.2 specific.

It happens also in kmail. Do not know what kind of certificates are giving problems.
Comment 2 Cor Blom 2012-10-15 21:50:03 UTC 
Filed downstream:

https://bugzilla.novell.com/show_bug.cgi?id=782309
Comment 3 Stefan Brüns 2012-11-02 14:55:24 UTC 
(In reply to comment #1)
> Started a discussion on opensuse-kde:
> 
> http://lists.opensuse.org/opensuse-kde/2012-09/msg00264.html
> 
> It is confirmed by others and it might be openSUSE 12.2 specific.

More exactly:
openSSL 1.0.1 specific. oS 12.1 shipped 1.0.0, thus is not affected. Other distros most probably have the same problem with their latest incarnation.

This bug is related to, but not the same as:
http://bugs.kde.org/show_bug.cgi?id=306964 and
http://bugs.kde.org/show_bug.cgi?id=308854

In this case, the server actually supports TLSv1.2:
$> openssl s_client -msg  -connect www.ziggo.nl:443
CONNECTED(00000003)
>>> TLS 1.2  [length 013b]
    01 00 01 37 03 03  ... // ClientHello, protocol version: 03 03: SSL version 3.3 aka TLS1.2
<<< TLS 1.2  [length 0051]
    02 00 00 4d 03 03  ... // ServerHello, TLS 1.2

The bug is in QT itself:
src/network/ssl/qsslsocket_openssl.cpp:188

QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher)
{
   QSslCipher ciph; char buf [256];
    QString descriptionOneLine = QString::fromLatin1(q_SSL_CIPHER_description(cipher, buf, sizeof(buf)));
    QStringList descriptionList = descriptionOneLine.split(QLatin1String(" "), QString::SkipEmptyParts);
...
        QString protoString = descriptionList.at(1);
        ciph.d->protocolString = protoString;
        ciph.d->protocol = QSsl::UnknownProtocol;
        if (protoString == QLatin1String("SSLv3"))
            ciph.d->protocol = QSsl::SslV3;
        else if (protoString == QLatin1String("SSLv2"))
            ciph.d->protocol = QSsl::SslV2;
        else if (protoString == QLatin1String("TLSv1"))
            ciph.d->protocol = QSsl::TlsV1;
...
}

So no match for TLS > 1.0 -> QSsl:UnknownProtocol.

Qt 5.0 has the needed defines for TLS1.1/1.2, should we backport?
Comment 4 András Manţia 2012-12-03 10:27:26 UTC 
Yes, it should be backported to Qt 4.8.x, but... was it reported to the Qt bugtracker? Even if some KDE developers do Qt development, they are still different projects.
Comment 5 Cor Blom 2013-01-02 12:32:11 UTC 
I reported this bug, but I do not have this bug anymore on openSUSE 12.2 with the latest KDE from KDE:Release:49 (4.9.5 at the moment with qt 4.8.4). I do not know why or that this means it is solved.