kssl: certificate weirdness

[George Staikos]

On Saturday, April 3, 2004, at 04:24  AM, Thorsten Becker wrote:

> Hello list,
>
> I have encountered a problem with web server certificates and  
> konqueror in kde
> 3.2.1 and 3.1.5:
> Konqueror doesn't complain when I open certain https-websites, but  
> when I look
> into the security properties, it says there is a problem with an  
> intermediate
> certificate.
>
> Steps to reproduce:
> Import the DFN-root-certificate from http://www.dfn-pca.de/
> (http://www.dfn-pca.de/certification/x509/g1/data/html/cacert/root-ca- 
> cert.der)
>
> In Konqueror, open:
> https://www.uni-konstanz.de/
> It should open without any problem since it was signed by a CA which  
> was
> signed by the DFN Root CA
>
> look at the KDE SSL Information (View -> Security).
> In the chain, select "2 - RZ CA"
>
> The certificate state is shown as "Rejected, possibly due to an invalid
> purpose"
>
>
> Another example:
> https://www.tu-chemnitz.de/
> is signed by a CA signed by the DFN root-CA, it opens without an  
> eroror or
> warning message,
> but in the certificate chain the certificate
> 2 - TU Chemnitz Certificate Authority, 2001 - 2005
> has
> "Certificate state: Certificate is self signed and thus may not be
> trustworthy"
>
>
> In both cases I couldn't find anything wrong with the certificates, so
> konqueror shouldn't show the intermediate certificates as invalid.
>
> Has anyone a clue why that strange behaviour occurs?

I'm too busy to look at this until at least a week or two from now, but  
I think there is already an open bug report against this.  The code in  
question was changed to address a security issue quite a long time ago  
and probably didn't take this into account.  I'm sure it was working at  
least once in the past.  Please check bugs.kde.org and file a report if  
you don't already see one.

--
George Staikos
KDE Developer			http://www.kde.org/
Staikos Computing Services Inc.	http://www.staikos.net/