[Bug 241642] net/qt5-network system vs. user certificate confusion

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Nov 1 13:45:05 GMT 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241642

            Bug ID: 241642
           Summary: net/qt5-network system vs. user certificate confusion
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: kde at FreeBSD.org
          Reporter: uqs at FreeBSD.org
          Assignee: kde at FreeBSD.org
             Flags: maintainer-feedback?(kde at FreeBSD.org)

Hi there, so this will take a while, I'm very confused. The starting point is
that Clementine-player using QT5 cannot talk to last.fm due to the SSL
handshake failing. The root cause is that I have custom certs under
/etc/ssl/certs (but it took me 2 days to whittle it down to that!).


First some code. *With* certs in /etc/ssl/certs present, notably a symlink to
/usr/local/share/certs/ca-root-nss.crt, meaning it should still find
everything, I get the following output of this code:

    for (auto const& cert : QSslConfiguration::systemCaCertificates()) {
      qLog(Debug) << "Got sys cert" << cert.subjectDisplayName();
    }

    QSslConfiguration conf(QSslConfiguration::defaultConfiguration());
    for (auto const& cert : conf.caCertificates()) {
      qLog(Debug) << "Got cert" << cert.subjectDisplayName();
    }


14:15:41.445 DEBUG LastFMService:176                Got sys cert "TC
TrustCenter for Security in Data Networks GmbH"
14:15:41.446 DEBUG LastFMService:176                Got sys cert "Equifax"
14:15:41.446 DEBUG LastFMService:176                Got sys cert "FNMT-RCM"
....
14:15:41.497 DEBUG LastFMService:176                Got sys cert "VeriSign
Class 3 Public Primary Certification Authority - G5"
14:15:41.497 DEBUG LastFMService:176                Got sys cert "VeriSign
Universal Root Certification Authority"
14:15:41.497 DEBUG LastFMService:176                Got sys cert "XRamp Global
Certification Authority"
14:15:41.499 DEBUG LastFMService:187                Got cert "*.soundcloud.com"
14:15:41.499 DEBUG LastFMService:187                Got cert "GlobalSign Domain
Validation CA - SHA256 - G2"
14:15:41.499 DEBUG LastFMService:187                Got cert "GlobalSign Root
CA"
14:15:41.500 DEBUG LastFMService:187                Got cert "Equifax"

And I can tell you, that only the last 4 "user" certs are being checked, not
having any for last.fm and then sadness ensues. A truss of this behavior looks
like so:

51681:
open("/etc/ssl/certs",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,02401670100) =
93 (0x5d)
51681: open("/etc/ssl",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01745) = 93
(0x5d)
51681:
openat(AT_FDCWD,"/etc/ssl/certs/tcclass3-2011.pem",O_RDONLY|O_CLOEXEC,00) = 93
(0x5d)
51681:
openat(AT_FDCWD,"/etc/ssl/certs/Equifax_Secure_Certificate_Authority.pem",O_RDONLY|O_CLOEXEC,00)
= 93 (0x5d)
51681:
openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00)
= 93 (0x5d) 
51681: openat(AT_FDCWD,"/etc/ssl/certs/cacert3.pem",O_RDONLY|O_CLOEXEC,00) = 93
(0x5d)
51681:
openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00)
= 93 (0x5d)

So it does read my symlinked ca-root-nss.crt and then also falls back to it
system-wide it seems, because it's in there twice. Maybe it get's confused
expecting a single cert in there, not a bundle?


Ok, removing /etc/ssl/certs, it starts to work, the logging output changes to
this:


14:22:17.271 DEBUG LastFMService:176                Got sys cert "FNMT-RCM"
14:22:17.271 DEBUG LastFMService:176                Got sys cert "ACCVRAIZ1"
14:22:17.271 DEBUG LastFMService:176                Got sys cert "Actalis
Authentication Root CA"
...
14:22:17.281 DEBUG LastFMService:176                Got sys cert "VeriSign
Class 3 Public Primary Certification Authority - G5"
14:22:17.281 DEBUG LastFMService:176                Got sys cert "VeriSign
Universal Root Certification Authority"
14:22:17.281 DEBUG LastFMService:176                Got sys cert "XRamp Global
Certification Authority"
14:22:17.282 DEBUG LastFMService:187                Got cert "FNMT-RCM"
14:22:17.282 DEBUG LastFMService:187                Got cert "ACCVRAIZ1"
14:22:17.282 DEBUG LastFMService:187                Got cert "Actalis
Authentication Root CA"
...
14:22:17.292 DEBUG LastFMService:187                Got cert "VeriSign Class 3
Public Primary Certification Authority - G5"
14:22:17.292 DEBUG LastFMService:187                Got cert "VeriSign
Universal Root Certification Authority"
14:22:17.292 DEBUG LastFMService:187                Got cert "XRamp Global
Certification Authority"
14:22:17.292 DEBUG LastFMService:187                Got cert "*.soundcloud.com"
14:22:17.292 DEBUG LastFMService:187                Got cert "GlobalSign Domain
Validation CA - SHA256 - G2"
14:22:17.293 DEBUG LastFMService:187                Got cert "GlobalSign Root
CA"
14:22:17.293 DEBUG LastFMService:187                Got cert "Equifax"


And truss looks like so:

11934: open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 13 (0xd)
11934: open("/etc/ssl/",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01174) = 13
(0xd)
11934: open("/etc/ssl",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01155) = 13
(0xd)
11934:
openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00)
= 13 (0xd)


I tried to find some information on how to properly have ca-root-nss.crt work,
but also have my own trusted certs in addition to that. Clearly I'm holding it
wrong for QT at least.

Also, where the eff is that soundcloud.com entry coming from?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the kde-freebsd mailing list