Bug 3792 - Can't set proper trust level for new CA roots (e.g. CACert.org)
: Can't set proper trust level for new CA roots (e.g. CACert.org)
Status: RESOLVED DUPLICATE of bug 1528
Product: Browser
MicroB engine
: 4.1.2 (4.2008.36-5)
: N810 Linux
: Medium normal (vote)
: 5.0 (1.2009.41-10)
Assigned To: Juhani Mäkelä
: microb-bugs
:
:
:
:
  Show dependency tree
 
Reported: 2008-10-09 00:01 UTC by Dave Platt
Modified: 2009-02-26 22:37 UTC (History)
4 users (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description Dave Platt (reporter) 2008-10-09 00:01:52 UTC
SOFTWARE VERSION:
4.2008.36-5

STEPS TO REPRODUCE THE PROBLEM:
Browse to CACert.org.
Click on "Root certificates".
Download both the Class 1 and Class 3 certs (in PEM format) to N810.
Open the Control Panel, Certificate Manager.
Click "Authorities"
Click "Import".  Choose the CACert Class 1 cert, import it, confirm that all of
the trust boxes are checked.
Repeat the import with the CACert Class 3 cert, confirm all trust levels.
Close Control Panel.
Open the Browser.
Visit https://snulbug.mtview.ca.us

EXPECTED OUTCOME:
HTTPS connection should be opened without complaint.  Site is protected by a
current SSL cert signed by the CACert Class 3 authority, and contains a
chain-of-trust cert for the CACert Class 3 authority signed by the CACert Class
3 authority.

ACTUAL OUTCOME:
Browser complains that the site's cert is "not signed by a trusted authority."
Upon viewing the details, the window shows that the cert is signed and valid.

Similar problems occur in Claws if I open an SSL connection (IMAP4 or SMTP) to
a server which uses a CACert.org-signed certificate on those ports.  Claws
reports that it cannot find the local issuer certificate.

Same basic (IMAP-over-SSL) problem occurs with the built-in mail app
(Modest?)... "no local issuer cert"

REPRODUCIBILITY:
100%

EXTRA SOFTWARE INSTALLED:

OTHER COMMENTS:

I did not have this problem with the older software which was factory-installed
on my N810 - Ithe built-in mail software was able to set up SSL to my IMAP4
server without complaining.  After I re-flashed the tablet with the 4.2008.30-2
software image, the mailer began complaining.  Importing the CACert root certs
had no effect.

It almost looks to me as if the certs installed by the Certificate Manager
aren't being used by the browser and mail software - and I notice that all of
the pre-installed ones are set as being secure for WLAN but not for email or
web sites.

Is there actually a second, different certificate store (or a store of trust
information) used by the browser and other applications, distinct from the
Certificate Manager connectivity cert store?

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16)
Gecko/20080702 Iceweasel/2.0.0.16 (Debian-2.0.0.16-0etch1)
Comment 1 Andre Klapper maemo.org 2008-10-09 11:45:23 UTC
timeless: Is this your area (browser, and since you're working on cert stuff
IIRC), or is this a general issue?
Comment 2 Andre Klapper maemo.org 2008-10-09 16:29:14 UTC
Dave, I think this is a duplicate of bug 1528 because Certman is buggy.
See bug 1528 comment 4 about the current situation.
OK for you to mark this as a duplicate?
Comment 3 Dave Platt (reporter) 2008-10-11 01:19:54 UTC
Yes, it does appear that the same underlying problem is involved in both bugs.
It's OK with me if you close this one as a duplicate.

Do you know whether anyone has a copy of certutil, compiled/linked to run on
the N810 under Diablo, that I might use to try manually installing the
necessary CA cert and give it the correct level of trust?
Comment 4 Andre Klapper maemo.org 2008-10-14 12:43:47 UTC
You can manually import certs into a firefox and copy over the certificate
database to a device.... :-/
Comment 5 Andre Klapper maemo.org 2009-02-26 22:37:17 UTC
Same as bug 1528 as per comments.

*** This bug has been marked as a duplicate of bug 1528 ***