Fwd: kssl: certificate weirdness

Waldo Bastian bastian at kde.org
Mon Apr 5 12:27:45 BST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu April 1 2004 22:09, Waldo Bastian wrote:
> FYI
>
> ----------  Forwarded Message  ----------
>
> Subject: kssl: certificate weirdness
> Date: Thu April 1 2004 21:14
> From: Thorsten Becker <becker at rz.uni-wuerzburg.de>
> To: kde-devel at mail.kde.org
>
> Hello list,
>
> I have encountered a problem with web server certificates and konqueror in
>  kde 3.2.1 and 3.1.5:
> Konqueror doesn't complain when I open certain https-websites, but when I
>  look into the security properties, it says there is a problem with an
>  intermediate certificate.
>
> Steps to reproduce:
> Import the DFN-root-certificate from http://www.dfn-pca.de/
> (http://www.dfn-pca.de/certification/x509/g1/data/html/cacert/root-ca-cert.
>de r)
>
> In Konqueror, open:
> https://www.uni-konstanz.de/
> It should open without any problem since it was signed by a CA which was
> signed by the DFN Root CA
>
> look at the KDE SSL Information (View -> Security).
> In the chain, select "2 - RZ CA"
>
> The certificate state is shown as "Rejected, possibly due to an invalid
> purpose"

It is strange that the whole chain has been accepted nonetheless. Could it be 
that we pass the wrong purpose when the dialog checks the individual 
certificate in the chain?

> Another example:
> https://www.tu-chemnitz.de/
> is signed by a CA signed by the DFN root-CA, it opens without an eroror or
> warning message,
> but in the certificate chain the certificate
> 2 - TU Chemnitz Certificate Authority, 2001 - 2005
> has
> "Certificate state: Certificate is self signed and thus may not be
> trustworthy"

This seems correct, although the certificate chain is rather weird.
(2) is a self-signed certificate, but (3) is properly signed by DFN, and (1) 
is signed by (3). So (2) seems to be a bogus certificate that doesn't play 
any role at all.

> In both cases I couldn't find anything wrong with the certificates, so
> konqueror shouldn't show the intermediate certificates as invalid.
>
> Has anyone a clue why that strange behaviour occurs?
>
> Thorsten

Cheers,
Waldo
- -- 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
^ bastian at kde.org | Is your software SUSE LINUX READY? | bastian at suse.com
^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAcUKxN4pvrENfboIRArX6AJ9h/lgMPYb3eJCZyT4wjOa/tB3/UQCggKsO
zRsy9ckIZHK2pVD5AcyS2X0=
=1ph+
-----END PGP SIGNATURE-----




More information about the kfm-devel mailing list