Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73153 - Kopete doesn't use root CAs from KDE
Summary: Kopete doesn't use root CAs from KDE
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] KDE (show other bugs)
Hardware: x86 Linux
: High enhancement (vote)
Assignee: Gentoo KDE team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-02 11:04 UTC by Jose Gonzalez Gomez
Modified: 2004-12-09 07:45 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jose Gonzalez Gomez 2004-12-02 11:04:36 UTC 
Kopete doesn't seem to be using the root CA configured in KDE (security -> crypto -> SSL signers)

I have installed and configured a corporate Jabber server (JabberD), and have activated the use of SSL, using our own root CA, and a server certificate signed by that root CA. This setup is working properly, and we have tested it with Konqueror after adding our root certificate to the KDE SSL signers.

When Kopete connects to the server, we get an error saying the following:

Certificate of server [server name] could not be validated for account [account name] : The Certificate Authority is invalid

So Kopete seems to be ignoring the KDE SSL signers store. In my investigations I have found that Kopete relies on app-crypt/qca-tls for the TLS/SSL part, but I have found little information about this library. I have also found that I'm not the only one with this problem:

http://www.kde-forum.org/viewtopic.php?t=3676&start=0&postdays=0&postorder=asc&highlight=

As you can see in this forum, the problem happens also with self signed certificates although you add it to the KDE SSL signers. So this seems to be a bug or missing feature in Kopete (although I don't understand why somebody would include SSL support without trust chain checking). I don't know if I should have filed this report directly to KDE. If so please tell me and I'll do it

Reproducible: Always
Steps to Reproduce:
1. Install JabberD server, activate SSL support with self signed, or CA signed certificate
2. Include self signed or root CA certificate in KDE SSL signers
3. If you have a web server with the same domain name, you can check that the SSL certificate works properly opening a Konqueror https connection
4. Configure Kopete to access the JabberD server using SSL
5. Connect to the Jabber server

You can experience the same problem if you try to connect to jabber.org using SSL. If you can download the certificate (I don't know if they offer it anywhere) you'll be able to check the behavior mentioned above
Actual Results:  
Kopete isn't able to check the validity of the certificate sent by the server

Expected Results:  
Kopete should have been able to stablish the validity of the server certificate
and stablish a secure connection without user intervention

Portage 2.0.51-r3 (default-x86-2004.2, gcc-3.3.4, glibc-2.3.4.20040808-r1,
2.6.7-gentoo-r11 i686)
=================================================================
System uname: 2.6.7-gentoo-r11 i686 AMD Athlon(TM) XP 2000+
Gentoo Base System version 1.4.16
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.14.90.0.8-r1
Headers:  sys-kernel/linux26-headers-2.6.8.1-r1
Libtools: sys-devel/libtool-1.5.2-r5
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=athlon-xp -O3 -pipe -fomit-frame-pointer -mmmx -m3dnow"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config
/usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref
/usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/lib/jboss
/var/qmail/control /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon-xp -O3 -pipe -fomit-frame-pointer -mmmx -m3dnow"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache distlocks sandbox"
GENTOO_MIRRORS="http://gentoo.osuosl.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://commserver.openinput.com/gentoo-portage"
USE="3dnow X acpi alsa apm arts avi berkdb bitmap-fonts cdr cjk crypt cups
divx4linux doc dvd dvdr encode esd f77 foomaticdb fortran freetype gdbm gif
gphoto2 gpm gstreamer guile hbci imlib jabber java jikes jpeg junit kde kerberos
ldap libg++ libwww mad maildir mikmod mmx mng motif mozilla mpeg mysql ncurses
nls nptl objc ofx oggvorbis openal opengl pam pda pdflib perl png postgres
python qt quicktime readline samba sasl scanner sdl slang slp spell ssl svga
tcltk tcpd tetex tiff truetype unicode usb x86 xml2 xmms xv zlib linguas_es
linguas_ca"
Comment 1 Caleb Tennis (RETIRED) gentoo-dev 2004-12-02 12:41:59 UTC 
Yeah, this is best filed at bugs.kde.org.
Comment 2 Jose Gonzalez Gomez 2004-12-02 14:22:54 UTC 
Done...

http://bugs.kde.org/show_bug.cgi?id=94301
Comment 3 Simone Gotti (RETIRED) gentoo-dev 2004-12-09 07:45:47 UTC 
I think we can resolve this as upstream as we can't do much about it.