Date: Fri, 01 Nov 2019 13:45:05 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 241642] net/qt5-network system vs. user certificate confusion Message-ID: <bug-241642-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D241642 Bug ID: 241642 Summary: net/qt5-network system vs. user certificate confusion Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: kde@FreeBSD.org Reporter: uqs@FreeBSD.org Assignee: kde@FreeBSD.org Flags: maintainer-feedback?(kde@FreeBSD.org) Hi there, so this will take a while, I'm very confused. The starting point = is that Clementine-player using QT5 cannot talk to last.fm due to the SSL handshake failing. The root cause is that I have custom certs under /etc/ssl/certs (but it took me 2 days to whittle it down to that!). First some code. *With* certs in /etc/ssl/certs present, notably a symlink = to /usr/local/share/certs/ca-root-nss.crt, meaning it should still find everything, I get the following output of this code: for (auto const& cert : QSslConfiguration::systemCaCertificates()) { qLog(Debug) << "Got sys cert" << cert.subjectDisplayName(); } QSslConfiguration conf(QSslConfiguration::defaultConfiguration()); for (auto const& cert : conf.caCertificates()) { qLog(Debug) << "Got cert" << cert.subjectDisplayName(); } 14:15:41.445 DEBUG LastFMService:176 Got sys cert "TC TrustCenter for Security in Data Networks GmbH" 14:15:41.446 DEBUG LastFMService:176 Got sys cert "Equifax" 14:15:41.446 DEBUG LastFMService:176 Got sys cert "FNMT-RCM" .... 14:15:41.497 DEBUG LastFMService:176 Got sys cert "VeriSign Class 3 Public Primary Certification Authority - G5" 14:15:41.497 DEBUG LastFMService:176 Got sys cert "VeriSign Universal Root Certification Authority" 14:15:41.497 DEBUG LastFMService:176 Got sys cert "XRamp Glo= bal Certification Authority" 14:15:41.499 DEBUG LastFMService:187 Got cert "*.soundcloud.= com" 14:15:41.499 DEBUG LastFMService:187 Got cert "GlobalSign Do= main Validation CA - SHA256 - G2" 14:15:41.499 DEBUG LastFMService:187 Got cert "GlobalSign Ro= ot CA" 14:15:41.500 DEBUG LastFMService:187 Got cert "Equifax" And I can tell you, that only the last 4 "user" certs are being checked, not having any for last.fm and then sadness ensues. A truss of this behavior lo= oks like so: 51681: open("/etc/ssl/certs",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,02401670100= ) =3D 93 (0x5d) 51681: open("/etc/ssl",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01745) =3D= 93 (0x5d) 51681: openat(AT_FDCWD,"/etc/ssl/certs/tcclass3-2011.pem",O_RDONLY|O_CLOEXEC,00) = =3D 93 (0x5d) 51681: openat(AT_FDCWD,"/etc/ssl/certs/Equifax_Secure_Certificate_Authority.pem",O= _RDONLY|O_CLOEXEC,00) =3D 93 (0x5d) 51681: openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC= ,00) =3D 93 (0x5d)=20 51681: openat(AT_FDCWD,"/etc/ssl/certs/cacert3.pem",O_RDONLY|O_CLOEXEC,00) = =3D 93 (0x5d) 51681: openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC= ,00) =3D 93 (0x5d) So it does read my symlinked ca-root-nss.crt and then also falls back to it system-wide it seems, because it's in there twice. Maybe it get's confused expecting a single cert in there, not a bundle? Ok, removing /etc/ssl/certs, it starts to work, the logging output changes = to this: 14:22:17.271 DEBUG LastFMService:176 Got sys cert "FNMT-RCM" 14:22:17.271 DEBUG LastFMService:176 Got sys cert "ACCVRAIZ1" 14:22:17.271 DEBUG LastFMService:176 Got sys cert "Actalis Authentication Root CA" ... 14:22:17.281 DEBUG LastFMService:176 Got sys cert "VeriSign Class 3 Public Primary Certification Authority - G5" 14:22:17.281 DEBUG LastFMService:176 Got sys cert "VeriSign Universal Root Certification Authority" 14:22:17.281 DEBUG LastFMService:176 Got sys cert "XRamp Glo= bal Certification Authority" 14:22:17.282 DEBUG LastFMService:187 Got cert "FNMT-RCM" 14:22:17.282 DEBUG LastFMService:187 Got cert "ACCVRAIZ1" 14:22:17.282 DEBUG LastFMService:187 Got cert "Actalis Authentication Root CA" ... 14:22:17.292 DEBUG LastFMService:187 Got cert "VeriSign Clas= s 3 Public Primary Certification Authority - G5" 14:22:17.292 DEBUG LastFMService:187 Got cert "VeriSign Universal Root Certification Authority" 14:22:17.292 DEBUG LastFMService:187 Got cert "XRamp Global Certification Authority" 14:22:17.292 DEBUG LastFMService:187 Got cert "*.soundcloud.= com" 14:22:17.292 DEBUG LastFMService:187 Got cert "GlobalSign Do= main Validation CA - SHA256 - G2" 14:22:17.293 DEBUG LastFMService:187 Got cert "GlobalSign Ro= ot CA" 14:22:17.293 DEBUG LastFMService:187 Got cert "Equifax" And truss looks like so: 11934: open("/etc/ssl/openssl.cnf",O_RDONLY,0666) =3D 13 (0xd) 11934: open("/etc/ssl/",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01174) = =3D 13 (0xd) 11934: open("/etc/ssl",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01155) =3D= 13 (0xd) 11934: openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC= ,00) =3D 13 (0xd) I tried to find some information on how to properly have ca-root-nss.crt wo= rk, but also have my own trusted certs in addition to that. Clearly I'm holding= it wrong for QT at least. Also, where the eff is that soundcloud.com entry coming from? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-241642-7788>