Bug 241642 - net/qt5-network system vs. user certificate confusion
Summary: net/qt5-network system vs. user certificate confusion
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: kde
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-01 13:45 UTC by Ulrich Spoerlein
Modified: 2019-11-01 13:45 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (kde)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Spoerlein freebsd_committer 2019-11-01 13:45:05 UTC
Hi there, so this will take a while, I'm very confused. The starting point is that Clementine-player using QT5 cannot talk to last.fm due to the SSL handshake failing. The root cause is that I have custom certs under /etc/ssl/certs (but it took me 2 days to whittle it down to that!).


First some code. *With* certs in /etc/ssl/certs present, notably a symlink to /usr/local/share/certs/ca-root-nss.crt, meaning it should still find everything, I get the following output of this code:

    for (auto const& cert : QSslConfiguration::systemCaCertificates()) {
      qLog(Debug) << "Got sys cert" << cert.subjectDisplayName();
    }

    QSslConfiguration conf(QSslConfiguration::defaultConfiguration());
    for (auto const& cert : conf.caCertificates()) {
      qLog(Debug) << "Got cert" << cert.subjectDisplayName();
    }


14:15:41.445 DEBUG LastFMService:176                Got sys cert "TC TrustCenter for Security in Data Networks GmbH"
14:15:41.446 DEBUG LastFMService:176                Got sys cert "Equifax"
14:15:41.446 DEBUG LastFMService:176                Got sys cert "FNMT-RCM"
....
14:15:41.497 DEBUG LastFMService:176                Got sys cert "VeriSign Class 3 Public Primary Certification Authority - G5"
14:15:41.497 DEBUG LastFMService:176                Got sys cert "VeriSign Universal Root Certification Authority"
14:15:41.497 DEBUG LastFMService:176                Got sys cert "XRamp Global Certification Authority"
14:15:41.499 DEBUG LastFMService:187                Got cert "*.soundcloud.com"
14:15:41.499 DEBUG LastFMService:187                Got cert "GlobalSign Domain Validation CA - SHA256 - G2"
14:15:41.499 DEBUG LastFMService:187                Got cert "GlobalSign Root CA"
14:15:41.500 DEBUG LastFMService:187                Got cert "Equifax"

And I can tell you, that only the last 4 "user" certs are being checked, not having any for last.fm and then sadness ensues. A truss of this behavior looks like so:

51681: open("/etc/ssl/certs",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,02401670100) = 93 (0x5d)
51681: open("/etc/ssl",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01745) = 93 (0x5d)
51681: openat(AT_FDCWD,"/etc/ssl/certs/tcclass3-2011.pem",O_RDONLY|O_CLOEXEC,00) = 93 (0x5d)
51681: openat(AT_FDCWD,"/etc/ssl/certs/Equifax_Secure_Certificate_Authority.pem",O_RDONLY|O_CLOEXEC,00) = 93 (0x5d)
51681: openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00) = 93 (0x5d) 
51681: openat(AT_FDCWD,"/etc/ssl/certs/cacert3.pem",O_RDONLY|O_CLOEXEC,00) = 93 (0x5d)
51681: openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00) = 93 (0x5d)

So it does read my symlinked ca-root-nss.crt and then also falls back to it system-wide it seems, because it's in there twice. Maybe it get's confused expecting a single cert in there, not a bundle?


Ok, removing /etc/ssl/certs, it starts to work, the logging output changes to this:


14:22:17.271 DEBUG LastFMService:176                Got sys cert "FNMT-RCM"
14:22:17.271 DEBUG LastFMService:176                Got sys cert "ACCVRAIZ1"
14:22:17.271 DEBUG LastFMService:176                Got sys cert "Actalis Authentication Root CA"
...
14:22:17.281 DEBUG LastFMService:176                Got sys cert "VeriSign Class 3 Public Primary Certification Authority - G5"
14:22:17.281 DEBUG LastFMService:176                Got sys cert "VeriSign Universal Root Certification Authority"
14:22:17.281 DEBUG LastFMService:176                Got sys cert "XRamp Global Certification Authority"
14:22:17.282 DEBUG LastFMService:187                Got cert "FNMT-RCM"
14:22:17.282 DEBUG LastFMService:187                Got cert "ACCVRAIZ1"
14:22:17.282 DEBUG LastFMService:187                Got cert "Actalis Authentication Root CA"
...
14:22:17.292 DEBUG LastFMService:187                Got cert "VeriSign Class 3 Public Primary Certification Authority - G5"
14:22:17.292 DEBUG LastFMService:187                Got cert "VeriSign Universal Root Certification Authority"
14:22:17.292 DEBUG LastFMService:187                Got cert "XRamp Global Certification Authority"
14:22:17.292 DEBUG LastFMService:187                Got cert "*.soundcloud.com"
14:22:17.292 DEBUG LastFMService:187                Got cert "GlobalSign Domain Validation CA - SHA256 - G2"
14:22:17.293 DEBUG LastFMService:187                Got cert "GlobalSign Root CA"
14:22:17.293 DEBUG LastFMService:187                Got cert "Equifax"


And truss looks like so:

11934: open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 13 (0xd)
11934: open("/etc/ssl/",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01174) = 13 (0xd)
11934: open("/etc/ssl",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,01155) = 13 (0xd)
11934: openat(AT_FDCWD,"/usr/local/share/certs/ca-root-nss.crt",O_RDONLY|O_CLOEXEC,00) = 13 (0xd)


I tried to find some information on how to properly have ca-root-nss.crt work, but also have my own trusted certs in addition to that. Clearly I'm holding it wrong for QT at least.

Also, where the eff is that soundcloud.com entry coming from?