Bug 306899 - certificate from www.ziggo.nl is not automatically accepted (regression)
Summary: certificate from www.ziggo.nl is not automatically accepted (regression)
Status: RESOLVED UPSTREAM
Alias: None
Product: kdelibs
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: 4.9.1
Platform: OpenSUSE Linux
: NOR normal (vote)
Target Milestone: ---
Assignee: kdelibs bugs
URL: http://www.ziggo.nl
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-16 20:56 UTC by Cor Blom
Modified: 2013-01-03 16:18 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Cor Blom 2012-09-16 20:56:32 UTC
When I go to www.ziggo.nl with rekonq or konqueror (both khtml and webkit) I have to a long time and then get a dialogue window with the message that the certificate could not be validated (with the options details, continue or annuleren). This did not happen with kde 4.8.5, the site loaded without problems.

When I choose an option and continue to another site, certificates are not accepted automatically any more.

Reproducible: Always

Steps to Reproduce:
1. Start rekonq or konqueror
2. Go to www.ziggo.nl
3. 
Actual Results:  
A long time nothing happens, then the dialogue window with problem about certificate appears

Expected Results:  
Site loads without problems (as it did in 4.8.5)

This problem does not occur when I only update the qt4 libraries. I only occurs when I update kde to 4.9.1 (from 4.8.5).
Comment 1 Cor Blom 2012-09-25 08:27:38 UTC
Started a discussion on opensuse-kde:

http://lists.opensuse.org/opensuse-kde/2012-09/msg00264.html

It is confirmed by others and it might be openSUSE 12.2 specific.

It happens also in kmail. Do not know what kind of certificates are giving problems.
Comment 2 Cor Blom 2012-10-15 21:50:03 UTC
Filed downstream:

https://bugzilla.novell.com/show_bug.cgi?id=782309
Comment 3 Stefan Brüns 2012-11-02 14:55:24 UTC
(In reply to comment #1)
> Started a discussion on opensuse-kde:
> 
> http://lists.opensuse.org/opensuse-kde/2012-09/msg00264.html
> 
> It is confirmed by others and it might be openSUSE 12.2 specific.

More exactly:
openSSL 1.0.1 specific. oS 12.1 shipped 1.0.0, thus is not affected. Other distros most probably have the same problem with their latest incarnation.

This bug is related to, but not the same as:
http://bugs.kde.org/show_bug.cgi?id=306964 and
http://bugs.kde.org/show_bug.cgi?id=308854

In this case, the server actually supports TLSv1.2:
$> openssl s_client -msg  -connect www.ziggo.nl:443
CONNECTED(00000003)
>>> TLS 1.2  [length 013b]
    01 00 01 37 03 03  ... // ClientHello, protocol version: 03 03: SSL version 3.3 aka TLS1.2
<<< TLS 1.2  [length 0051]
    02 00 00 4d 03 03  ... // ServerHello, TLS 1.2

The bug is in QT itself:
src/network/ssl/qsslsocket_openssl.cpp:188

QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher)
{
   QSslCipher ciph; char buf [256];
    QString descriptionOneLine = QString::fromLatin1(q_SSL_CIPHER_description(cipher, buf, sizeof(buf)));
    QStringList descriptionList = descriptionOneLine.split(QLatin1String(" "), QString::SkipEmptyParts);
...
        QString protoString = descriptionList.at(1);
        ciph.d->protocolString = protoString;
        ciph.d->protocol = QSsl::UnknownProtocol;
        if (protoString == QLatin1String("SSLv3"))
            ciph.d->protocol = QSsl::SslV3;
        else if (protoString == QLatin1String("SSLv2"))
            ciph.d->protocol = QSsl::SslV2;
        else if (protoString == QLatin1String("TLSv1"))
            ciph.d->protocol = QSsl::TlsV1;
...
}

So no match for TLS > 1.0 -> QSsl:UnknownProtocol.

Qt 5.0 has the needed defines for TLS1.1/1.2, should we backport?
Comment 4 András Manţia 2012-12-03 10:27:26 UTC
Yes, it should be backported to Qt 4.8.x, but... was it reported to the Qt bugtracker? Even if some KDE developers do Qt development, they are still different projects.
Comment 5 Cor Blom 2013-01-02 12:32:11 UTC
I reported this bug, but I do not have this bug anymore on openSUSE 12.2 with the latest KDE from KDE:Release:49 (4.9.5 at the moment with qt 4.8.4). I do not know why or that this means it is solved.