maemo.org Bugzilla – Bug 3792
Can't set proper trust level for new CA roots (e.g. CACert.org)
Last modified: 2009-02-26 22:37:17 UTC
You need to
before you can comment on or make changes to this bug.
STEPS TO REPRODUCE THE PROBLEM:
Browse to CACert.org.
Click on "Root certificates".
Download both the Class 1 and Class 3 certs (in PEM format) to N810.
Open the Control Panel, Certificate Manager.
Click "Import". Choose the CACert Class 1 cert, import it, confirm that all of
the trust boxes are checked.
Repeat the import with the CACert Class 3 cert, confirm all trust levels.
Close Control Panel.
Open the Browser.
HTTPS connection should be opened without complaint. Site is protected by a
current SSL cert signed by the CACert Class 3 authority, and contains a
chain-of-trust cert for the CACert Class 3 authority signed by the CACert Class
Browser complains that the site's cert is "not signed by a trusted authority."
Upon viewing the details, the window shows that the cert is signed and valid.
Similar problems occur in Claws if I open an SSL connection (IMAP4 or SMTP) to
a server which uses a CACert.org-signed certificate on those ports. Claws
reports that it cannot find the local issuer certificate.
Same basic (IMAP-over-SSL) problem occurs with the built-in mail app
(Modest?)... "no local issuer cert"
EXTRA SOFTWARE INSTALLED:
I did not have this problem with the older software which was factory-installed
on my N810 - Ithe built-in mail software was able to set up SSL to my IMAP4
server without complaining. After I re-flashed the tablet with the 4.2008.30-2
software image, the mailer began complaining. Importing the CACert root certs
had no effect.
It almost looks to me as if the certs installed by the Certificate Manager
aren't being used by the browser and mail software - and I notice that all of
the pre-installed ones are set as being secure for WLAN but not for email or
Is there actually a second, different certificate store (or a store of trust
information) used by the browser and other applications, distinct from the
Certificate Manager connectivity cert store?
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:220.127.116.11)
Gecko/20080702 Iceweasel/18.104.22.168 (Debian-22.214.171.124-0etch1)
timeless: Is this your area (browser, and since you're working on cert stuff
IIRC), or is this a general issue?
Dave, I think this is a duplicate of bug 1528 because Certman is buggy.
See bug 1528 comment 4 about the current situation.
OK for you to mark this as a duplicate?
Yes, it does appear that the same underlying problem is involved in both bugs.
It's OK with me if you close this one as a duplicate.
Do you know whether anyone has a copy of certutil, compiled/linked to run on
the N810 under Diablo, that I might use to try manually installing the
necessary CA cert and give it the correct level of trust?
You can manually import certs into a firefox and copy over the certificate
database to a device.... :-/
Same as bug 1528 as per comments.
*** This bug has been marked as a duplicate of bug 1528 ***