Created attachment 76167 [details]
SSL warning in Konqueror

Found solution myself, just imported missing “VeriSign, Inc. Class 3 Public Primary Certification Authority” certificate from Firefox. So problem is incomplete SSL certificate support: https://bugs.kde.org/show_bug.cgi?id=162485

Sorry if I'm just being dense, but import that certificate into what app, and where do I find the certificate?   If you mean by the symlink in comment 26 of that  bug, it already exists on my system (Gentoo, KDE 4.9.3)

(I reported the KMyMoney problem, and I'm still getting the error.)

Firefox > edit > preferences > advanced > encryption > view certificates > select missed certs > export > save with .pem ending. Then KDE Systemsettings > SSL Preferences > add > navigate to just exported certs.

Problem is to find proper certificate. More general solution is to load Firefox cert bundle from http://curl.haxx.se/docs/caextract.html


It worked for my bunk page. However I have found that Kio warnings can still come up on some pages, even if the SSL connection to the page works fine. So I mark this bug again as unconfirmed .



Steps to reproduce:

1. Make sure you have actual StartCom root CAs installed (or export it from Firefox), also:
StartCom Certification Authority serial number 1 
StartCom Certification Authority serial number 45
StartCom Certification Authority G2 serial number 59

2. Goto to https://fsfe.org/
You get a warning (see first screenshot), that says that it is invalid certificate for 256 bit AES encryption and the certificate chain contains only curie.fsfeuropa.org certificate.

3. Now close the window, click cancel and you will see, that SSL connection is still established. Clicking on green shield symbol in addressbar opens the window with current SSL information and here you see different details as in previous window: RC4 128 Bit encryption with valid StartCom certificate chain (see second screenshot).


So, probably problem is that this page offers two different certificates to establish a SSL connection, one valid and one not, but Kssl checks both certificates and displays warning.

Created attachment 76272 [details]
Invalid certificate

Created attachment 76273 [details]
Valid certificate

I use kubuntu and experience this problem for the last three or so releases. Actually I run 12.10 with kde 4.9.3. The warning pops up for maybe all ssl connections, so when I start up rekonq with all my tabs I get this warning about 20 times.

If I can be of any help to reproduce the problem I'd be glad to help.

*** This bug has been confirmed by popular vote. ***

I'm no longer getting the error with kioslaves 4.9.5 (Gentoo linux) and I don't believe I ever manually installed the cert.  Did it somehow get resolved, or did I just get lucky?

You are right, there are changes in it and now my bank page now works without warnings (thanks for everybody who helped to solve this). But I still get such by visiting https://fsfe.org

I get no error on that page with Firefox, but I do get the error with Konqueror 4.9.5, so I guess the problem is only partly solved.

I think the issue I'm having is related to this bug. I'm not able to log into my account at https://www.epsilen.com/security/login.aspx using QupZilla, rekonq, or Konqueror; I can log in fine using Chromium. I use Arch with KDE version 4.10.5 and Qt 4.8.5. My usual browser is QupZilla version 1.4.3 with WebKit version 537.21. This is the message I get when I navigate to the above URL:

SSL Certificate Error!
The page you are trying to access has the following errors in the SSL certificate:
Organization: 
Domain Name: *.epsilen.com
Expiration Date: 15:50:51 Friday 11. October 2013
Error: The issuer certificate of a locally looked up certificate could not be found
Error: The root CA certificate is not trusted for this purpose
Error: No certificates could be verified
Would you like to make an exception for this certificate?
Yes/No

I have this problem every day. In my case most if not all of the SSL certificates that KDE complains about are from Google. I started noticing that they are of the 128-bit RC4 certificates, like the one I am attaching to this bug report.

My suspicion then is that KDE doesn't trust RC4 128-bit certificates, for some reason.

Created attachment 83718 [details]
128 bit RC4 certificate from Google

This is an example of a certificate that is rejected by KDE (in this case, it comes from the Google Calendar Akonadi Resource).

Forgot to mention that this is with KDE 4.11.2 and Qt 4.8.2.

KDE relies on Qt for SSL certificates and as far as I know Qt loads the system certificates whenever available. That means on Linux/Unix like systems it loads the ca-certificate bundle that comes bundle with most distros. Here is a list of paths from which Qt attempts to load SSL certificates:

https://qt.gitorious.org/qt/kde-qt/source/983e244eca6cca1e11402b3af5470a07c2b22fc2:src/network/ssl/qsslsocket_openssl.cpp#L774

Since Firefox and Chromium don't complain about the certificate, just KDE apps (Kopete, Akonadi and Konqueror) I think it's  unlikely that it's a problem with the system certificates.

I tried to investigate what could be prompting KDE (or Qt, I don't know) to reject that certificate, but I don't know much about SSL/TSL and it turns out that it is more complicated than I thought, so it was taking much more time than I have and I had to stop.

I did found out that it's a cross-certificate. I's certificate 1b here:

http://stackoverflow.com/questions/10682863/how-does-it-work-found-one-ssl-certificate-two-different-chains-and-two-differe

Given that it's not a trivial certificate, and that there's bug 162485 (KDE 4 SSL Certificate support incomplete), I'm more inclined to think that it's a bug in KDE or Qt.

Perhaps this bug should depend on bug #162485.

(In reply to comment #17)
> Since Firefox and Chromium don't complain about the certificate, just KDE
> apps (Kopete, Akonadi and Konqueror) I think it's  unlikely that it's a
> problem with the system certificates.

Yes, it is, but do not take my word for it. You can test this for yourself. 

1.) Get the Mozilla certificate bundle (cacert.pem) from curl site: http://curl.haxx.se/docs/caextract.html or any other place you want.
2.) ALT+F2 and type "SSL" and select SSL Preferences from the list to launch the SSL certificate management dialog.
3.) Click on "Add" and choose the certificate bundle from Mozilla and press OK.
4.) Visit the site reported in this report again and see if any SSL errors are reported.

I guarantee you that the SSL errors will no longer be there. And if you check the SSL preferences dialog you would see that 5 new certificates are imported as the result of the process I outline above. If you disable the Versign certificate under the "User-added certificates" section, you can disable/remove that certificate and see if the error returns or not for yourself.

As far as the site listed in comment #12, you get SSL warnings in both Chromium and Firefox so that certificate is not a trusted one. Anyhow, missing certificates are the cause for the warning shown here. And on my system at least that is most certainly due to "ca-certificates 20130906-1" not containing all the certificates that are in Mozilla's bundle.

> I tried to investigate what could be prompting KDE (or Qt, I don't know) to
> reject that certificate, but I don't know much about SSL/TSL and it turns
> out that it is more complicated than I thought, so it was taking much more
> time than I have and I had to stop.
> 
> I did found out that it's a cross-certificate. I's certificate 1b here:
> 
> http://stackoverflow.com/questions/10682863/how-does-it-work-found-one-ssl-
> certificate-two-different-chains-and-two-differe
> 
> Given that it's not a trivial certificate, and that there's bug 162485 (KDE
> 4 SSL Certificate support incomplete), I'm more inclined to think that it's
> a bug in KDE or Qt.

That is simply not correct.

> Perhaps this bug should depend on bug #162485.

That is a very old bug report that is not applicable today for the reasons I stated in my previous comment. KDE no longer installs its own certificate bundle. Instead it relies on Qt and the certificate bundles it uses. Perhaps Qt's implementation was deficient when that bug report was opened, but that is most certainly not the case now. As a result the bug report itself has already been addressed and should have been closed.

*** This bug has been confirmed by popular vote. ***

(In reply to comment #19)
> *** This bug has been confirmed by popular vote. ***

That is completely pointless. We are not going to fix this because the warning comes from Qt's networking stack, more specifically, QSslSocket. KDE's socket classes no longer rely on kssl as it has been mostly deprecated. Like I have already stated in comment #16, Qt's socket classes rely on the certificates installed on your system, namely ca-certificate bundle. I have provided the link as to which paths they check on your system. If a certificate does not exist in those directories then you will most definitely get this error. And I have clearly provided the steps to check that out for yourself in comment #18.  

Again I repeat, all SSL related connections are handled by the relevant Qt network classes. If there is a problem with a certificate not being trusted, then the issue needs to be referred there.

(In reply to comment #20)
> (In reply to comment #19)
> > *** This bug has been confirmed by popular vote. ***
> 
> That is completely pointless.

It was not my intention to trigger that bug confirmation.

I was voting for another bug in another product (KDevelop) and when I submitted the form bugzilla informed that this bug was confirmed by popular vote. I have no idea why. I'm pretty sure I only changed the vote values in the KDevelop bug.

*** This bug has been confirmed by popular vote. ***

See comment #20.