Bug 8276 (int-153869)

Summary: Imported SSL Certificates not recognized after PR1.1
Product: [Maemo Official Applications] Browser Reporter: maemo5
Component: MicroB engineAssignee: unassigned <nobody>
Status: RESOLVED FIXED QA Contact: microb-bugs
Severity: major    
Priority: Medium CC: agx, andre_klapper, ewan, maemo.org, maemo5, maemobugzilla, tuukka.tolvanen
Version: 5.0/(2.2009.51-1)   
Target Milestone: 5.0/(10.2010.19-1)   
Hardware: N900   
OS: Maemo   

Description maemo5 (reporter) 2010-01-19 17:32:06 UTC 
SOFTWARE VERSION:
1.2009.51-1

STEPS TO REPRODUCE THE PROBLEM:
1. Start browser.
2. Get Rootcertifcate (Class 1 PKI/PEM) from 
<http://www.cacert.org/index.php?id=3>
3. Import the certificate with Certificate manager (server purpose)
4. Visit a page hosted on an https server with a certificate signed by the
above root certificate, such as <https://www.cacert.org/>.

EXPECTED OUTCOME:
The installed certificate is available and used immediately to verify sites'
identities.

ACTUAL OUTCOME:
Secure Connection Failed
www.cacert.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)

REPRODUCIBILITY:
Always - also after browser is closed and re-opened or a reboot of the whole
phone!

EXTRA SOFTWARE INSTALLED:
Fresh device with just updated to PR 1.1.

OTHER COMMENTS:
Maybe it sounds like Bug 6211 (https://bugs.maemo.org/show_bug.cgi?id=6211) -
this was before PR 1.1. Now even a reboot of the device doesn't help. There are
also other people reporting this bug:
http://talk.maemo.org/showthread.php?t=40972
Comment 1 maemobugzilla 2010-01-19 21:08:21 UTC 
This also happens with .p12 client certificates.
Comment 2 maemo.org 2010-01-20 04:40:52 UTC 
*** This bug has been confirmed by popular vote. ***
Comment 3 maemo.org 2010-01-20 04:42:29 UTC 
I can confirm this bug. I've tested with different CA and client certificates,
and all are getting ignored after the upgrade to PR1.1.

The certificates are still displayed correctly in the Certificate Manager, but
they are not used by the the browser or email application.
Comment 4 Guido Günther 2010-01-21 19:22:31 UTC 
In addition to the browser this also affects E-Mail (modest)
Comment 5 timeless 2010-01-28 18:16:15 UTC 
re comment 1, no. please do *not* confuse client certificates with server
certificates. problems with one are *not* related to problems with the other.
they must be handled separately.
Comment 6 Andre Klapper maemo.org 2010-02-01 14:52:35 UTC 
This has been fixed internally for the upcoming PR1.2 release.

A future public update will include the fix. (This is not always already the
next public update.)

To answer popular followup questions:
 * Nokia does not announce release dates of public updates in advance.
 * There is currently no access to these internal, non-public build versions.
   A Brainstorm proposal to change this exists at
http://maemo.org/community/brainstorm/view/undelayed_bugfix_releases_for_nokia_open_source_packages-002/
Comment 7 ewan 2010-02-01 15:08:27 UTC 
"There is currently no access to these internal, non-public build versions."

There have been suggestions in the past (on t.m.o) that fixes are committed to
the maemo.gitorious.org trees before they're released as binaries. Can you
confirm whether this fix is published there already or not, and if it is, give
us a pointer to it so that anyone interested in building from source can
identify the fix in the git tree?
Comment 8 tuukka.tolvanen nokia 2010-02-02 02:41:45 UTC 
No, browser components are not available on gitorious. (The relevant upstream
is hg anyhow.)
Comment 9 Andre Klapper maemo.org 2010-03-15 20:51:50 UTC 
Setting explicit PR1.2 milestone (so it's clearer in which public release the
fix will be available to users).

Sorry for the bugmail noise (you can filter on this message).