Version: 4.2.4 (using KDE 4.2.4) OS: Linux Installed from: Debian testing/unstable Packages When connecting to https sites (e.g. https://www.last.fm/login or https://www.citibank.de/), a server authentication dialogue pops up stating that certificate validation failed, because the certificate could not be checked due to internal reasons (literally in German: "Das Zertifikat kann aus internen Gründen nicht überprüft werden". Same message appears in the certificate info box when clicking on the green shield in the location bar.
Cannot reproduce in KDE 4 trunk. Probably it could be fixed in KDE 4.3 too. Could you check it and confirm? Thanks.
I can confirm with 4.3.1 (openSuse 11.1). Go to https://qt.nokia.com/customerportal This is what you get: The server failed the authenticity check (qt.nokia.com). The certificate authority's certificate is invalid The root certificate authority's certificate is not trusted for this purpose The certificate cannot be verified for internal reasons Clicking on Details shows that the Subject and Issuer Tabs are completely empty! (the labels are shown but they show no content) The Validity period shows 00:00 to 00:00
Unfortunately, right now I cannot test, because Debian Testing is still on 4.2.4. However, it might be interesting, that this problem shows up only on certain (but quite many!) sites. For example: Fail: https://www.comdirect.de Certificate information, including subject and issuer correctly display, a correct certificate chain is shown up to Verisign Class 3 PCA G5, which is shown as trusted. Also, the intermediate certificate is shown as trusted, only for the server certificate itself the indicated error message is shown. Same for https://www.simyo.de No problem at all appears e.g. for https://www.verisign.com/ Looking closer, however, I'm not so sure that the problem is with Konqueror or any KDE components, because openssl s_client -connect www.comdirect.de:443 -debug \ -CAfile /etc/ssl/certs/ VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem also gives some strange diagnostics: SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 95E4BBF7B242D3648D0B2710043080750890999CB97ED4E8FD3ED55A33B55C1E Session-ID-ctx: Master-Key: 87E55DB788BBAC6C57F8DD8FE80AFB8CA15A6559D6FA3B99FEB767BCEC66E5DAC5DDBBDBCF462C6508F4499504EFEDB4 Key-Arg : None Start Time: 1252749636 Timeout : 300 (sec) Verify return code: 7 (certificate signature failure) So - looks like this problem has to do rather with the OpenSSL or the trusted certificates' installation on Debian testing? Can you confirm this? Best regards, Andreas.
It has nothing to do with the openSSL lib on my PC, because: testing https://qt.nokia.com/customerportal with konqueror/KDE3 shows a different information than the same site opened with konqueror/KDE4 on the same PC as the same time. I attach here 2 screenshots of the SSL information dialogs from KDE3 and KDE4 in that case.
Created attachment 36908 [details] SSL-info-KDE3 screenshot
Created attachment 36909 [details] SSL-info-KDE4 screenshot
I am experiencing similar problem on KDE 4.2.4 as provided by Mandriva. Shortly after (at least I'm pretty sure it was shortly after) a rather massive upgrade by Mandriva about a week ago, Kmail couldn't authenticate either for sending or receiving. When I attempt to receive mail I get a message, "The server failed to authenticity check (ipostoffice.worldnet.att.net.). The certificate cannot be verified for internal reasons. I get a similar message if I attempt to send mail. Clicking "Details" on the message provides the following information: Sending: Current connection is secured with SSL Address imailhost.worldnet.att.net ip address 204.127.217.19 Encryption: AES, using 256 bits of a 256 bit key Details: Auth=RSA, Kx=RSA, MAC = SHA-1 SSL Version: SSLV3 Certificate chain: imailhost.worldnet.att.net Subject: Common name: imailhost.worldnet.att.net Organization: AT&T Services, Inc. Organizational unit: Worldnet mail (SMTP) 3 Country US State New Jersey City Middletown Trusted No, there were errors: The certificate cannot be verified for internal reasons Validity period: 4/27/09 – 4/2710 11:59 pm Serial Number MD5 Digest: 4a544c11f4a2158d655c284938140643 Issuer: Common name: VeriSign Claass 3 Secure Server CA Organization VeriSign, Inc. Organizational Unit: Termos of use at https://www.verisign.com/rpa (c)05 Country: US Receiving: Address ipostoffice.worldnet.att.net IP Address: 204.127.134.145 Encryption AES, using 256 bits of a 256 bit key Details: Auth=RSA, Kx-RSA, MAC-SHA-1 SSL Version: SSLv3 Certificate Chain: ipostoffice.worldnet.att.net Common name: ipostoffice.worldnet.att.net Organization: AT^T Services, Inc. Organizational unit: Worldnet mail (POP3) 3 Country US State New Jersey City: Middletown Trusted: No, there were errors. The certificate cannot be verified for internal reasons Validity period: 04/27/09 12:00 am to 04/27/10 11:59 pm Serial number: fedc25038240b9e669d98b4443d47b77 Issuer: Common name VeriSign Class 3 Secure Server CA Organization: VeriSign, Inc. Subsequently I found that Konqueror also fails to authenticate. Firefox does authenticate at the same website. (The websites where I know the authentication fails are ATT's web based email log in site, ATT email via Kmail, and my bank. I can log into the web based email and bank with Firefox. If someone were to tell me what other information I should supply, I would be happy to do so.
Whatever was the problem - it's gone now (probably due to update of Debian/testing to KDE 4.3.1). About the other problem (no subject data shown in the certificate details dialogue) - I suggest to open a separate issue for this. I never had such a problem, so it seems to be unrelated.