Should we drop the SSL certificate bundle?

Thiago Macieira thiago at kde.org
Thu Aug 19 09:16:59 BST 2010


On Thursday 19 August 2010 08:02:52 Rolf Eike Beer wrote:
> Thiago Macieira wrote:
> > On Thursday 19. August 2010 00.18.17 Rolf Eike Beer wrote:
> > > -do we really want to care? For Mozilla SSL/TLS is essential. For KDE
> > > software it's just a small part as we have so many libraries and
> > > applications  in our stack.
> > 
> > We do have a browser too, you know.
> 
> And I'm using it as my default browser on all platforms, even my Windows
> box at work (which is a PITA, but that's a different story). But if you
> remove Konqueror and KMail from the usual KDE desktop you still have
> _tons_ of stuff left. If you remove Firefox and Thunderbird from Mozilla
> you are close to nothing. That was what I tried to say.

There are more applications making use of SSL. All of those require the same 
level of scrutiny as Konqueror or Firefox.

If any application has a call to QSslSocket::ignoreSslErrors(), the developer 
needs to be taught about SSL. Or simply stop using SSL, since there's no 
security being offered anyway...

> > Anyway, as of Qt 4.7, Qt loads the global store on any platform. All KDE
> > has to do to benefit from that is to stop overriding.
> 
> That sounds very reasonable to me.
> 
> Is that bundle additive or exclusive? So can we simply ship a bunch of
> additional certs we like and use everything from the global store or will
> our bundle always replace the global one if we provide one?

It's not our bundle anymore. It's shipped by the distribution and we expect 
them to do a good job at deciding which root certificates to preload. And I've 
seen the distributions override what KDE ships anyway.

$ rpm -qf /usr/share/apps/kssl/ca-bundle.crt
kdelibs4-core-4.4.3-13mdv2010.1

$ ls -l /usr/share/apps/kssl/ca-bundle.crt 
lrwxrwxrwx 1 root root 43 2010-06-14 13:21 /usr/share/apps/kssl/ca-bundle.crt 
-> ../../../../etc/pki/tls/certs/ca-bundle.crt

$ rpm -qf /etc/pki/tls/certs/ca-bundle.crt
rootcerts-20100408.00-1mdv2010.1


I think KDE should stop installing or removing any certificates by default. A 
default install of KDE should use all of the certificates shipped with the 
distribution and none more. If your distribution doesn't ship any, then SSL 
won't work for you and you should either find a list of root CAs that *you* 
trust or find a distribution that does it for you.

By user interaction, via the (missing) SSL configuration KCM, the user can 
elect to add or remove certificates. That can be done by KDE libraries, by 
loading more certificates and adding them to the default set from 
QSslConfiguration, and by removing from the list ones that the user removed.

Since we don't have an SSL configuration KCM, there's no need for code to add 
or remove certificates either.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
  Senior Product Manager - Nokia, Qt Development Frameworks
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20100819/f012327f/attachment.sig>


More information about the kde-core-devel mailing list