maintainer-feedback requested: [Bug 241642] net/qt5-network system vs. user certificate confusion

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Nov 1 13:45:05 GMT 2019 

Bugzilla Automation <bugzilla at FreeBSD.org> has asked kde at FreeBSD.org for
maintainer-feedback:
Bug 241642: net/qt5-network system vs. user certificate confusion
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241642



--- Description ---
Hi there, so this will take a while, I'm very confused. The starting point is
that Clementine-player using QT5 cannot talk to last.fm due to the SSL
handshake failing. The root cause is that I have custom certs under
/etc/ssl/certs (but it took me 2 days to whittle it down to that!).


First some code. *With* certs in /etc/ssl/certs present, notably a symlink to
/usr/local/share/certs/ca-root-nss.crt, meaning it should still find
everything, I get the following output of this code:

    for (auto const& cert : QSslConfiguration::systemCaCertificates()) {
      qLog(Debug) << "Got sys cert" << cert.subjectDisplayName();
    }

    QSslConfiguration conf(QSslConfiguration::defaultConfiguration());
    for (auto const& cert : conf.caCertificates()) {
      qLog(Debug) << "Got cert" << cert.subjectDisplayName();
    }


14:15:41.445 DEBUG LastFMService:176		    Got sys cert "TC
TrustCenter for Security in Data Networks GmbH"
14:15:41.446 DEBUG LastFMService:176		    Got sys cert "Equifax"
14:15:41.446 DEBUG LastFMService:176		    Got sys cert "FNMT-RCM"
....
14:15:41.497 DEBUG LastFMService:176		    Got sys cert "VeriSign
Class 3 Public Primary Certification Authority - G5"
14:15:41.497 DEBUG LastFMService:176		    Got sys cert "VeriSign
Universal Root Certification Authority"
14:15:41.497 DEBUG LastFMService:176		    Got sys cert "XRamp Global
Certification Authority"
14:15:41.499 DEBUG LastFMService:187		    Got cert "*.soundcloud.com"
14:15:41.499 DEBUG LastFMService:187		    Got cert "GlobalSign Domain
Validation CA - SHA256 - G2"
14:15:41.499 DEBUG LastFMService:187		    Got cert "GlobalSign Root
CA"
14:15:41.500 DEBUG LastFMService:187		    Got cert "Equifax"

And I can tell you, that only the last 4 "user" certs are being checked, not
having any for last.fm and then sadness ensues. A truss of this behavior looks
like so:

51681:
open("/etc/ssl/certs",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,02401670100) =
93 (0x5d)
51681: open("/etc/ssl",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01745) = 93
(0x5d)
51681:
openat(AT_FDCWD,"/etc/ssl/certs/tcclass3-2011.pem",O_RDONLY|O_CLOEXEC,00) = 93
(0x5d)
51681:
openat(AT_FDCWD,"/etc/ssl/certs/Equifax_Secure_Certificate_Authority.pem",O_RDO
NLY|O_CLOEXEC,00)
= 93 (0x5d)
51681:
openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00)
= 93 (0x5d) 
51681: openat(AT_FDCWD,"/etc/ssl/certs/cacert3.pem",O_RDONLY|O_CLOEXEC,00) = 93
(0x5d)
51681:
openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00)
= 93 (0x5d)

So it does read my symlinked ca-root-nss.crt and then also falls back to it
system-wide it seems, because it's in there twice. Maybe it get's confused
expecting a single cert in there, not a bundle?


Ok, removing /etc/ssl/certs, it starts to work, the logging output changes to
this:


14:22:17.271 DEBUG LastFMService:176		    Got sys cert "FNMT-RCM"
14:22:17.271 DEBUG LastFMService:176		    Got sys cert "ACCVRAIZ1"
14:22:17.271 DEBUG LastFMService:176		    Got sys cert "Actalis
Authentication Root CA"
...
14:22:17.281 DEBUG LastFMService:176		    Got sys cert "VeriSign
Class 3 Public Primary Certification Authority - G5"
14:22:17.281 DEBUG LastFMService:176		    Got sys cert "VeriSign
Universal Root Certification Authority"
14:22:17.281 DEBUG LastFMService:176		    Got sys cert "XRamp Global
Certification Authority"
14:22:17.282 DEBUG LastFMService:187		    Got cert "FNMT-RCM"
14:22:17.282 DEBUG LastFMService:187		    Got cert "ACCVRAIZ1"
14:22:17.282 DEBUG LastFMService:187		    Got cert "Actalis
Authentication Root CA"
...
14:22:17.292 DEBUG LastFMService:187		    Got cert "VeriSign Class 3
Public Primary Certification Authority - G5"
14:22:17.292 DEBUG LastFMService:187		    Got cert "VeriSign
Universal Root Certification Authority"
14:22:17.292 DEBUG LastFMService:187		    Got cert "XRamp Global
Certification Authority"
14:22:17.292 DEBUG LastFMService:187		    Got cert "*.soundcloud.com"
14:22:17.292 DEBUG LastFMService:187		    Got cert "GlobalSign Domain
Validation CA - SHA256 - G2"
14:22:17.293 DEBUG LastFMService:187		    Got cert "GlobalSign Root
CA"
14:22:17.293 DEBUG LastFMService:187		    Got cert "Equifax"


And truss looks like so:

11934: open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 13 (0xd)
11934: open("/etc/ssl/",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01174) = 13
(0xd)
11934: open("/etc/ssl",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01155) = 13
(0xd)
11934:
openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00)
= 13 (0xd)


I tried to find some information on how to properly have ca-root-nss.crt work,
but also have my own trusted certs in addition to that. Clearly I'm holding it
wrong for QT at least.

Also, where the eff is that soundcloud.com entry coming from?

More information about the kde-freebsd mailing list