167166 – SSL hostname mismatch for ALL certificates

Bug 167166 - SSL hostname mismatch for ALL certificates

Summary: SSL hostname mismatch for ALL certificates

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-07-21 20:46 UTC by Michal Witkowski
Modified:	2009-02-02 00:31 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Michal Witkowski 2008-07-21 20:46:03 UTC

Version:           4.1.00 (KDE 4.0.99 (4.1 RC1+)) (using 4.1.00 (KDE 4.0.99 (4.1 RC1+)), compiled sources)
Compiler:          gcc
OS:                Linux (i686) release 2.6.25-ARCH

I'm running ArchLinux KDEmod KDE 4.1 RC2 (4.0.99), openssl 0.9.8h and gcc 4.3.1 20080626. A clean user account was used to verify this problem.

Whenever I visit a site with a valid SSL certificate, I get a message that "The hostname did not match any valid hostname in the certificate." After clicking Details one can see that the certificates are in fact valid, and the hostname matches the Common name of the certificate. Moreover, Firefox 3.0 recognizes these certificates as valid without prompting for anything.

This can be reproduced using the following sites:
https://www.mbank.com.pl
https://poczta10.o2.pl

NOTE: For self signed certificate sites like
https://torrentbytes.net 
konqueror reports rightly that the certificate was self-signed (in which case it is right to prompt for acceptance) but also reports that the hostname is different from the CN (which is not the case).

Comment 1 Christophe Marin 2008-07-21 22:20:25 UTC

I can't confirm for the 2 .pl sites but the report for the self-signed certificate is confirmed.

Comment 2 Steve Vialle 2008-07-22 08:57:39 UTC

Confirmed on all counts here, 4.0.99 build.

Comment 3 Pierre Schmitz 2008-07-22 18:29:54 UTC

I can confirm this problem with 4.0.99, openssl-0.9.8h and qca-2.0.1. KMail seems to be afffected, too. Even if I add the certs manually via crypto settigns menu; they aren't saved and the list stays empty.

Comment 4 Maksim Orlovich 2008-07-22 18:59:41 UTC

Are you people using -unpatched- 4.0.99? There was a bug like that in trunk, but the change that caused it has never been part of 4.1 branch. Perhaps the distro picked it up?

Comment 5 Pierre Schmitz 2008-07-22 19:53:22 UTC

I only had this patch applied to fix Bug#162600 http://websvn.kde.org/?view=rev&revision=830140. But to make sure I just compiled kdelibs without it (there are no other patches applied to KDE). Using a clean new user the result was the same.

Comment 6 Maksim Orlovich 2008-07-22 20:06:58 UTC

That's -exactly- the change that caused that regression.

Comment 7 Pierre Schmitz 2008-07-22 20:46:32 UTC

That comment made me think; so I recompiled kdebase-runtime and kdebase linking to the vanilla version of kdelibs. E voila it works. :-) 

I'll add a note about this regression to #162600. So hereby the bug is solved for me.

Comment 8 Maksim Orlovich 2008-07-22 20:48:06 UTC

No need. That regression is fixed by r832072

Comment 9 Andreas Hartmetz 2009-02-02 00:31:42 UTC

Has been fixed a couple of months ago.
There might be (due to the absence of testing) a problem with more exotic ways to specify valid hostnames in the certificate but for the vast majority of certificates it's fixed.