Bug 299453 - rekonq doesn't trust verisign (extended) certificate
Summary: rekonq doesn't trust verisign (extended) certificate
Status: RESOLVED FIXED
Alias: None
Product: rekonq
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Platform: Chakra Linux
: NOR major (vote)
Target Milestone: 0.10
Assignee: Andrea Diamantini
URL: http://www.kbc.be/
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-05 17:23 UTC by Michel Brabants
Modified: 2013-01-03 16:20 UTC (History)
6 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Exported certificate with rekonq (1.75 KB, application/PEM)
2012-05-31 18:24 UTC, ro.ggi
Details
Exported certificate with firefox (1.72 KB, application/PEM)
2012-05-31 18:26 UTC, ro.ggi
Details
rekonq working on kbc.be on arch & virtual kubuntu (306.94 KB, image/png)
2012-11-29 00:26 UTC, Andrea Diamantini
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Brabants 2012-05-05 17:23:07 UTC
Hello,

rekonq doesn't trust this site (a bank), while it works fine. The problem seems to be that rekonq says that the root certificate isn't signed by a trusted resource ...(?) This seems to be an extended ssl certificate, which may be the problem?

It works in firefox however and I believe that the skype-site has the same problem.

Thank you for this nice browser. Kind regards,

Michel

Reproducible: Always

Steps to Reproduce:
1. Go to site
2. See certificate-warning-message
3. Open in firefox. No problem.


Expected Results:  
See the site as a trusted site.
Comment 1 ro.ggi 2012-05-31 18:19:02 UTC
Here is other site that Rekonq shows as not trusted:
https://banking.postbank.de/rai/login

Rekonq shows the wrong certificate digests. I have exported the certificate with rekonq and firefox to show the difference.
Comment 2 ro.ggi 2012-05-31 18:24:59 UTC
Created attachment 71480 [details]
Exported certificate with rekonq
Comment 3 ro.ggi 2012-05-31 18:26:20 UTC
Created attachment 71481 [details]
Exported certificate with firefox
Comment 4 Andrea Diamantini 2012-06-24 09:17:27 UTC
Git commit 1304a1a979873a716ad58f7050fe5e927cd9ed5a by Andrea Diamantini.
Committed on 20/06/2012 at 19:21.
Pushed by adjam into branch 'master'.

Just check first certificate dates and errors to state IT is valid

M  +6    -6    src/webpage.cpp

http://commits.kde.org/rekonq/1304a1a979873a716ad58f7050fe5e927cd9ed5a
Comment 5 Thomas Pfeiffer 2012-08-23 19:49:07 UTC
I still experience the problem on Chakra with Rekonq 1.0
Comment 6 Michel Brabants 2012-09-05 20:32:49 UTC
The problem still exists on version 1.1 in kde 4.9 ... It is a nice browser, but useless because of this certificate-problem.

Everytime I visit a site requiring security, I can't use it, so I just use firefox most of the time ...

Anyway, whatever you changed, it didn't fix it. I hope you'll find the problem.

Thanks
Comment 7 Thomas Pfeiffer 2012-09-05 20:38:31 UTC
I assume by now that this is a Chakra-specific problem, since it affects at least the Qt browsers there (Konqueror and Qupzilla) as well and looks like only Chakra users are reporting the problem here.

I have therefore opened a bug in Chakra ( http://www.chakra-linux.org/bugs/index.php?do=details&task_id=473 ), I'd recommend to vote for and comment on it.
Comment 8 ro.ggi 2012-09-06 10:05:36 UTC
I can confirm you that. I have just tested Rekonq 1.0 from Backports on Kubuntu 12.04 and there is no problem more with the certificate checking.
Comment 9 Andrea Diamantini 2012-09-09 09:18:55 UTC
It works here on ArchLinux and people reported it works on kubuntu. So I consider this fixed.
Comment 10 Andrea Diamantini 2012-09-09 09:20:38 UTC
Forgot to say... fixed because before my commit we were really refusing extended certificates. After the reopen, I should say resolved ->downstream.
Comment 11 abveritas 2012-11-28 02:16:41 UTC
(In reply to comment #9)
> It works here on ArchLinux and people reported it works on kubuntu. So I
> consider this fixed.
I can reproduce the exact same issue on Arch and Chakra (all 3 sites linked on the Chakra bug report show none of the certificates are trusted in Arch either), what qtwebkit version are you using?  Qt version from the Arch repo's or custom build?
Comment 12 Andrea Diamantini 2012-11-28 08:37:44 UTC
I'm using qtwebkit from Arch repository, of course. Otherwise, I would not state it working on Arch linux here ;)
Comment 13 abveritas 2012-11-28 12:49:46 UTC
(In reply to comment #12)
> I'm using qtwebkit from Arch repository, of course. Otherwise, I would not
> state it working on Arch linux here ;)

Should I open a bug report in Arch then?  Since with all repository packages from Arch, none of the mentioned site work.  No idea how you get them to work on Arch.
Comment 14 abveritas 2012-11-28 18:03:20 UTC
(In reply to comment #13)
> (In reply to comment #12)
> > I'm using qtwebkit from Arch repository, of course. Otherwise, I would not
> > state it working on Arch linux here ;)
> 
> Should I open a bug report in Arch then?  Since with all repository packages
> from Arch, none of the mentioned site work.  No idea how you get them to
> work on Arch.

Not sure now where the fix is tested, bug is still present in Chakra, Arch, and Kubuntu (latest ISO, rekonq 1.1
Comment 15 Andrea Diamantini 2012-11-29 00:25:35 UTC
well... I read bug report in chakra it seems I let it work, while given the bugfix it JUST works here. To get sure about what I'm saying I downloaded myself last kubuntu DVD and installed it in virtualbox.
In my test there rekonq works as expected.
In the screenshot attached, you can see rekonq 1.1 on kubuntu && rekonq 1.80 (will be released tomorrow) on arch working on the site.
I can ensure they share the same code SSL related. In fact the commit in this bug was my last one in the SSL area.
On the other hand, I saw in kubuntu the kio widget saying the certificate is not trusted (would you like  to trust it forever/for the current session ??), while on load finished rekonq correctly recognizes the certificate. The kio problem is beyond my bunch of code and cannot probably be fixed until kde 5.
Comment 16 Andrea Diamantini 2012-11-29 00:26:26 UTC
Created attachment 75527 [details]
rekonq working on kbc.be on arch & virtual kubuntu
Comment 17 abveritas 2012-11-29 00:30:28 UTC
The whole point for the bug report imo is the need to accept the untrusted site.  There is no issue in any distro to get to any of these banking sites by clicking through the untrusted warnings.
Comment 18 Thomas Pfeiffer 2012-11-29 08:12:18 UTC
Hm so you mean the certificate warning which occurs when loading a page in rekonq does not come from rekonq itself, but from KIO? Why is there a KIO warning when loading a page in a browser?
Abveritas is correct: The issue of this bug is not that the pages cannot be loaded at all, but that there is a certificate warning even though the certificate is actually correct (the same pages load without a warning in Firefox).
Comment 19 Andrea Diamantini 2012-11-29 09:42:28 UTC
well.. what you stated in the last 2 comments is obvious. In fact rekonq, also before this bug report and the related fix, was loading the sites without problems.
What I'd like to let you note is that AFTER the bug fix, when one of the sites reported here is loaded, rekonq shows a green bar (it basically means SSL ok) and clicking on the usual lock (ssl) icon reports the correct certificates showing they are correctly trusted.
The message window shown during site load in some of them comes from kio. It has nothing to do with rekonq, but I cannot disable it in any way (at least in kdelibs4). Yes, I can remove it stopping using kio :)
This also means it will be shown with every app using kio browsing an https site with "extended" certificate (rekonq, konqueror/khtml, konqueror/webkit, etc.) but NOT qupzilla, using plain qt network. if it doesn't work there they have a separate and different bug.
Comment 20 abveritas 2012-11-29 13:07:31 UTC
Since this bug is exactly the same for any Qt browser (including konqueror using KHTML or webkit, qtestbrowser and qupzilla), seems to me this is a bug in Qt.
Comment 21 Jack 2012-12-08 00:41:56 UTC
I just stumbled on the same bug in KMyMoney 4.6.3, KDE 4.9.3, with libofx 0.9.5, under Gentoo Linux, when trying to fetch transactions via OFX-direct-connect.  To me, that shows it is not browser related at all, but beyond that, I can't tell whether it's qt, ssl, kio, ....  However, something is clearly wrong.
Comment 22 Nikos Bestas 2012-12-08 22:57:03 UTC
there is the same issue in opensuse 12.2 64 bit.
konqueror and rekonq

KDE / konqueror 4.9.3
rekonq 1.3
Comment 23 ro.ggi 2013-01-03 16:20:44 UTC
I filed a bug in Kio here: https://bugs.kde.org/show_bug.cgi?id=312550