Bug 483746 - org.kde.Platform 6.6 does not reliably verify SSL certs
Summary: org.kde.Platform 6.6 does not reliably verify SSL certs
Status: RESOLVED NOT A BUG
Alias: None
Product: Qt/KDE Flatpak Runtime
Classification: Developer tools
Component: general (show other bugs)
Version: unspecified
Platform: Flatpak Linux
: NOR normal
Target Milestone: ---
Assignee: Aleix Pol
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-16 11:27 UTC by vortex
Modified: 2024-08-09 03:39 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description vortex 2024-03-16 11:27:42 UTC
SUMMARY
Using the flatpak runtime org.kde.Platform/x86_64/6.6 it seems to have issues validating SSL certificates on openSUSE hosts.
Other distros running the same runtime do work.
org.kde.Platform/x86_64/6.5 (previous release) does not have this issue on openSUSE.


STEPS TO REPRODUCE
1. Install or build OBS Studio with runtime org.kde.Platform 6.6 using flathub
2. Add a browser source
3. Notice browser sourceces keep empty
4. On X11 using a browser dock it shows an error: "ERR_CERT_AUTHORITY_INVALID URL: https://obsproject.com/browser-source"

OBSERVED RESULT
- SSL certificates seem to be broken
- This seem to only happen on openSUSE as of now. Tested openSUSE Leap 15.5, openSUSE Tumbleweed, openSUSE Aeon and openSUSE Kalpa
- With runtime 6.5 everything works as expected on openSUSE
- Tested Ubuntu VM using the OBS flatpak and runtime 6.6 and browser sources do still work
- Tested a Ubuntu distrobox on an openSUSE host using the OBS Studio dep package and things do work as well

EXPECTED RESULT
- SSL certs to be validated


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: openSUSE Aeon Flatpak runtime org.kde.Platform/x86_64/6.6
KDE Plasma Version: Flatpak runtime org.kde.Platform/x86_64/6.6
KDE Frameworks Version: Flatpak runtime org.kde.Platform/x86_64/6.6
Qt Version: Flatpak runtime org.kde.Platform/x86_64/6.6

ADDITIONAL INFORMATION
- This issue cam to my attention during: https://github.com/obsproject/obs-studio/issues/10385
Comment 1 vortex 2024-03-16 11:29:46 UTC
(In reply to vortex from comment #0)
> SUMMARY
> Using the flatpak runtime org.kde.Platform/x86_64/6.6 it seems to have
> issues validating SSL certificates on openSUSE hosts.
> Other distros running the same runtime do work.
> org.kde.Platform/x86_64/6.5 (previous release) does not have this issue on
> openSUSE.
> 
> 
> STEPS TO REPRODUCE
> 1. Install or build OBS Studio with runtime org.kde.Platform 6.6 using
> flathub
> 2. Add a browser source
> 3. Notice browser sourceces keep empty
> 4. On X11 using a browser dock it shows an error:
> "ERR_CERT_AUTHORITY_INVALID URL: https://obsproject.com/browser-source"
> 
> OBSERVED RESULT
> - SSL certificates seem to be broken
> - This seem to only happen on openSUSE as of now. Tested openSUSE Leap 15.5,
> openSUSE Tumbleweed, openSUSE Aeon and openSUSE Kalpa
> - With runtime 6.5 everything works as expected on openSUSE
> - Tested Ubuntu VM using the OBS flatpak and runtime 6.6 and browser sources
> do still work
> - Tested a Ubuntu distrobox on an openSUSE host using the OBS Studio dep
> package and things do work as well
> 
> EXPECTED RESULT
> - SSL certs to be validated
> 
> 
> SOFTWARE/OS VERSIONS
> Linux/KDE Plasma: openSUSE Aeon Flatpak runtime org.kde.Platform/x86_64/6.6
> KDE Plasma Version: Flatpak runtime org.kde.Platform/x86_64/6.6
> KDE Frameworks Version: Flatpak runtime org.kde.Platform/x86_64/6.6
> Qt Version: Flatpak runtime org.kde.Platform/x86_64/6.6
> 
> ADDITIONAL INFORMATION
> - This issue cam to my attention during:
> https://github.com/obsproject/obs-studio/issues/10385

Also I locally build OBS Studio flatpak with runtime org.kde.Platform/x86_64/6.6 which was still broken
But building the OBS Flatpak locally using org.kde.Platform/x86_64/6.5 does work again.
There seems to be something off with the runtime.
Comment 2 Aleix Pol 2024-03-17 22:35:59 UTC
Can you maybe reach out to openSUSE about this issue? I am not sure how we can help you there.
Comment 3 vortex 2024-03-18 08:51:05 UTC
(In reply to Aleix Pol from comment #2)
> Can you maybe reach out to openSUSE about this issue? I am not sure how we
> can help you there.

Probably a good idea yes. Will do.
Maybe could someone point me somewhere where I can see what changed from runtime 6.5 to 6.6 so I may be able to better guide the bug report over at openSUSE to what actually changed?
Comment 4 vortex 2024-03-18 09:10:55 UTC
Bug also reported to openSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1221557
Comment 5 vortex 2024-03-18 12:23:04 UTC
Response of openSUSE maintainer as of now:

Fabian Vogt 2024-03-18 10:14:34 UTC:
No idea how flatpak works with SSL certs. It's likely a flatpak or runtime bug, as nothing changed on the openSUSE side.
Comment 6 vortex 2024-03-22 18:44:41 UTC
(In reply to Aleix Pol from comment #2)
> Can you maybe reach out to openSUSE about this issue? I am not sure how we
> can help you there.

Hello there.
I tested building OBS Studio using KDE Framework 6 on openSUSE Tumbleweed locally as an RPM package using KDE Frameworks 6 (hence Qt 6.6.2). Form my brief observation the set of KDE libraries shipped with openSUSE Tumbleweed are pretty much the same as those included in the flatpak runtime 6.6. At least judging by just the version numbers.

However the native RPM works just fine and has not SSL issues.
Also the KDE Runtime 6.5 works fine as well.
Simply runtime 6.6 fails for the 3 distributions I tried.

It's looking more and more to be an issue with the runtime itself to me?
As of why this bug triggers (as of now) only on openSUSE idk though.
What's also suspicious is that openSUSE Leap 15.5 also has issues with runtime 6.6 but not with 6.5.

Except of that Qt was updated from 6.5 to 6.6 I don't know what's different with both runtimes.
Comment 7 vortex 2024-03-22 19:08:33 UTC
Hm, I did some more testing. Using neochat, which also uses Runtime 6.6 I can connect, and log in. Looking into the logs it also properly connecting to https webpages.
Things are getting really strange now. Maybe the embedded chromium OBS Studio uses has issues with runtime 6.6 under certain circumstances?
Comment 8 Tarulia 2024-07-01 15:55:25 UTC
Just some updates from the issue reported originally to OBS.

Since opening this issue, we have confirmed at least 3 more affected distros: Alpine Linux, MX Linux, and Peppermint Linux.

All show the exact same symptom and for all of them a runtime-downgraded custom build of our Flatpak worked to get around the issue.

Just about 2 weeks ago however we received a comment from one of our users on the issue:
https://github.com/obsproject/obs-studio/issues/10385#issuecomment-2177754924

> I solved a SSL error in another flatpak application recently by installing p11-kit-server package. After installing the package, log out and log in or restart the system.

In response we had several users confirming this fixed their issue. One also removed the package on purpose to replicate the issue, and they could confirm it.

It is still unclear to me why a runtime upgrade would trigger a sudden requirement of said package, but I do wanted to let you know since you likely have more of an idea what to look at.

For reference: The aforementioned tester removing the package was on Fedora, and Fedora installs p11-kit-server as a weak dependency with the Flatpak package:
https://src.fedoraproject.org/rpms/flatpak/blob/rawhide/f/flatpak.spec#_91

This raises the question whether p11-kit-server should be a hard dependency of Flatpak, or if it is an issue specific to the KDE runtim.
Comment 9 vortex 2024-07-10 17:25:22 UTC
Came across another KDE runtime based flatpak app which does not work due to this (or similar issues)

Stremio, uses "runtime-version": "5.15-23.08" and does run into a ERR_CERT_AUTHORITY_INVALID erros.

At this point I'd be really glad if someone could look into this issue. :/

Stremio Manifest: https://github.com/flathub/com.stremio.Stremio/blob/master/com.stremio.Stremio.json
Comment 10 vortex 2024-08-09 03:39:27 UTC
I close this issue as it is no longer relevant. p11-kit-server was missing on openSUSEs flatpak package which was added just recently: https://build.opensuse.org/request/show/1192619 therefore the runtime never really was an issue as p11-kit-server should be available on distros alongside flatpak: https://build.opensuse.org/request/show/1192619