Bug 335375

Summary: Closing dialog for allowing invalid SSL certificate causes certificate to be accepted
Product: [Frameworks and Libraries] kio Reporter: Jim Scadden <jims>
Component: ksslAssignee: Konqueror Developers <konq-bugs>
Severity: normal CC: adawit, bugs, simonandric5
Priority: NOR    
Version: 4.13.1   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed In: 4.14.3
Attachments: kio-kssl_cert-accept-dialog_update.patch

Description Jim Scadden 2014-05-26 15:23:43 UTC
Closing the dialog for choosing how to long accept an invalid certificate for (which gives the options to accept Forever, or for Current Session Only) causes the default option of Current Session Only to be accepted

Reproducible: Always

Steps to Reproduce:
1. Attempt to connect to server with invalid SSL certificate in KMail or similar
2. On 1st dialog that appears (giving details on why the certificate is invalid), click on Continue
3. Close 2nd dialog rather than selecting one of the 2 available options
Actual Results:  
SSL certificate is temporarily accepted

Expected Results:  
Certificate is rejected, or user is returned to previous dialog
Comment 1 Jim Scadden 2014-05-26 15:28:46 UTC
Created attachment 86831 [details]

Proposed patch. Changes dialog from  KMessageBox::warningYesNo to KMessageBox::warningYesNoCancel . Closing the dialog is now results in a Cancel rather than a No. It also places both dialogs in a loop so that the user is returned to the 1st dialog when cancelling the 2nd, rather than the certificate being accepted
Comment 2 Jim Scadden 2014-06-23 16:39:56 UTC
After the patch for a while I do not believe that it is the best approach. With the patch applied the default option of 'Current Session only' is located on the left and the 'Forever' option is in the middle.  Since the 'Continue' button on the previous dialog is also in the middle this means that a user who neglects to fully read the 2nd dialog box and just clicks will have chosen to accept the certificate forever.

FYI this bug report was forwarded from Debian BTS https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745556
Comment 3 Graeme Hewson 2014-10-17 16:24:44 UTC
I confirm this in 4.14.2.
Comment 4 Dawit Alemayehu 2014-10-29 11:46:15 UTC
Why is this a bug? In the dialog that asked you to accept or reject the certificate you chose to accept it by clicking on "continue". The next dialog is only there to ask you the duration for which the certificate should be accepted and as you stated closing it carries out the default action (accept it for current session).
Comment 5 Graeme Hewson 2014-10-29 12:57:10 UTC
The user has changed his mind, and doesn't want to accept the certificate. He neither wants to accept it "Forever", nor for "Current Session only". It seems intuitive that closing the dialog ("Would you like to accept this certificate forever without being prompted?") by clicking on the X in the top right corner would not accept the certificate.

As the OP says:

Expected Results:  
Certificate is rejected, or user is returned to previous dialog

Test case (currently): https://webwewant.org/
Comment 6 Dawit Alemayehu 2014-11-06 00:41:33 UTC
Git commit 38a89ca0195dedee30240647b86c7b6df6788723 by Dawit Alemayehu.
Committed on 04/11/2014 at 12:23.
Pushed by adawit into branch 'KDE/4.14'.

Allow user to cancel out of the certificate accept duration dialog box.
FIXED-IN: 4.14.3
REVIEW: 120975

M  +29   -23   kio/kio/tcpslavebase.cpp

Comment 7 Dawit Alemayehu 2014-11-10 13:28:37 UTC
Git commit 294a6a0d983e22723851fe07e381e70cb57c6744 by Dawit Alemayehu.
Committed on 10/11/2014 at 13:29.
Pushed by adawit into branch 'master'.

frameworks port of commit 38a89ca:

Allow user to cancel out of the certificate accept duration dialog box.

M  +26   -22   src/core/tcpslavebase.cpp