Closing the dialog for choosing how to long accept an invalid certificate for (which gives the options to accept Forever, or for Current Session Only) causes the default option of Current Session Only to be accepted Reproducible: Always Steps to Reproduce: 1. Attempt to connect to server with invalid SSL certificate in KMail or similar 2. On 1st dialog that appears (giving details on why the certificate is invalid), click on Continue 3. Close 2nd dialog rather than selecting one of the 2 available options Actual Results: SSL certificate is temporarily accepted Expected Results: Certificate is rejected, or user is returned to previous dialog
Created attachment 86831 [details] kio-kssl_cert-accept-dialog_update.patch Proposed patch. Changes dialog from KMessageBox::warningYesNo to KMessageBox::warningYesNoCancel . Closing the dialog is now results in a Cancel rather than a No. It also places both dialogs in a loop so that the user is returned to the 1st dialog when cancelling the 2nd, rather than the certificate being accepted
After the patch for a while I do not believe that it is the best approach. With the patch applied the default option of 'Current Session only' is located on the left and the 'Forever' option is in the middle. Since the 'Continue' button on the previous dialog is also in the middle this means that a user who neglects to fully read the 2nd dialog box and just clicks will have chosen to accept the certificate forever. FYI this bug report was forwarded from Debian BTS https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745556
I confirm this in 4.14.2.
Why is this a bug? In the dialog that asked you to accept or reject the certificate you chose to accept it by clicking on "continue". The next dialog is only there to ask you the duration for which the certificate should be accepted and as you stated closing it carries out the default action (accept it for current session).
The user has changed his mind, and doesn't want to accept the certificate. He neither wants to accept it "Forever", nor for "Current Session only". It seems intuitive that closing the dialog ("Would you like to accept this certificate forever without being prompted?") by clicking on the X in the top right corner would not accept the certificate. As the OP says: Expected Results: Certificate is rejected, or user is returned to previous dialog Test case (currently): https://webwewant.org/
Git commit 38a89ca0195dedee30240647b86c7b6df6788723 by Dawit Alemayehu. Committed on 04/11/2014 at 12:23. Pushed by adawit into branch 'KDE/4.14'. Allow user to cancel out of the certificate accept duration dialog box. FIXED-IN: 4.14.3 REVIEW: 120975 M +29 -23 kio/kio/tcpslavebase.cpp http://commits.kde.org/kdelibs/38a89ca0195dedee30240647b86c7b6df6788723
Git commit 294a6a0d983e22723851fe07e381e70cb57c6744 by Dawit Alemayehu. Committed on 10/11/2014 at 13:29. Pushed by adawit into branch 'master'. frameworks port of commit 38a89ca: Allow user to cancel out of the certificate accept duration dialog box. M +26 -22 src/core/tcpslavebase.cpp http://commits.kde.org/kio/294a6a0d983e22723851fe07e381e70cb57c6744