339023 – KDE distrusts system certificate

Bug 339023 - KDE distrusts system certificate

Summary: KDE distrusts system certificate

Status:	NEEDSINFO WAITINGFORINFO

Alias:	None

Product:	kio
Classification:	Unmaintained
Component:	kssl (show other bugs)
Version:	4.13.2
Platform:	Ubuntu Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-09-12 04:35 UTC by Dennis Schridde
Modified:	2025-03-23 06:33 UTC (History)
CC List:	2 users (show)

See Also:	244806
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Dennis Schridde 2014-09-12 04:35:42 UTC

A server's SSL certificate is signed by StartSSL. KDE (more accurate Akonadi/DAV) complains about it: "The server failed the authenticity check (…). The certificate is not signed by any trusted certificate authority".

When I click "Details", it tells me the server's certificate is trusted ("Trusted: Yes"). When I select the root certificate of the chain (CN=StartCom Certification Authority), I see that it is actually *not* trusted ("Trusted: NO, there were errors: The certificate is not signed by any trusted certificate authority").

It says the SHA1 digest is 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f. This certificate is among the system certificates:
$ certtool -i < /etc/ssl/certs/ca-certificates.crt 2>/dev/null | grep 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f 
                3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f

I see two problems here:
1) KDE says in the error details that it trusts the server certificate, when it should actually say that it was not issued by a trusted authority.
2) KDE distrusts the certificate authority for no apparent reason.

Reproducible: Always

Comment 1 Dennis Schridde 2014-09-12 05:18:59 UTC

When I remove the root certificate from the chain, something even less expected happens: KDE considers the intermediate certificate untrusted ("Trusted: NO, there were errors: The certificate authority's certificate is invalid, The root certificate authority's certificate is not trusted for this purpose"). The SHA1 digest of that certificate is f691fc87efb3135354225a10e127e911d1c7f8cf. It was signed by a3f1333fe242bfcfc5d14e8f394298406810d1a0 and 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f's private key, which are both system certificates in /etc/ssl/certs/ca-certificates.crt.

Comment 2 Dennis Schridde 2014-09-13 14:06:15 UTC

I am using version 4:4.13.3-0ubuntu0.1 of the Ubuntu 14.04 libkio5 package.

Comment 3 Dennis Schridde 2015-02-03 02:07:09 UTC

Happens with KDE 4.14.3 on Gentoo as well. This prevents me from using my ownCloud CardDAV resource with Akonadi.

Comment 4 Raimar Sandner 2015-10-31 13:43:54 UTC

Same symptoms with plasma 5 workspace on Arch. This is very annoying.

Comment 5 Justin Zobel 2021-03-10 00:15:32 UTC

Thank you for the bug report.

As this report hasn't seen any changes in 5 years or more, we ask if you can please confirm that the issue still persists.

If this bug is no longer persisting or relevant please change the status to resolved.

Comment 6 Christoph Cullmann 2025-03-08 20:48:50 UTC

Can you re-try this with Plasma 6? Thanks!

Comment 7 Bug Janitor Service 2025-03-23 03:46:31 UTC

🐛🧹 ⚠️ This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information, then set the bug status to REPORTED. If there is no change for at least 30 days, it will be automatically closed as RESOLVED WORKSFORME.

For more information about our bug triaging procedures, please read https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging.

Thank you for helping us make KDE software even better for everyone!