From Fedora Project Wiki
No edit summary
No edit summary
Line 87: Line 87:


Test C:
Test C:
  curl --head https://kuix.de:9431
  curl --head https://test9431.kuix.de:9431
  curl: (60) Peer's Certificate issuer is not recognized.
  curl: (60) Peer's Certificate issuer is not recognized.


Test D:
Test D:
  firefox https://kuix.de:9431
  firefox https://test9431.kuix.de:9431
  error page, technical details: Error code: sec_error_untrusted_issuer
  error page, technical details: Error code: sec_error_untrusted_issuer


Test E:
Test E:
  epiphany https://kuix.de:9431
  epiphany https://test9431.kuix.de:9431
  right of url bar shows open padlock with orange exclamation symbol
  right of url bar shows open padlock with orange exclamation symbol


Line 121: Line 121:


Test C:
Test C:
  curl --head https://kuix.de:9431
  curl --head https://test9431.kuix.de:9431
  HTTP/1.1 200 OK
  HTTP/1.1 200 OK


Test D:
Test D:
  firefox https://kuix.de:9431
  firefox https://test9431.kuix.de:9431
  page loads, left of URL good padlock shown, no error
  page loads, left of URL good padlock shown, no error


Test E:
Test E:
  epiphany https://kuix.de:9431
  epiphany https://test9431.kuix.de:9431
  page loads, right of URL good padlock shown, no error
  page loads, right of URL good padlock shown, no error


Line 172: Line 172:


Test C:
Test C:
  curl --head https://kuix.de:9430
  curl --head https://test9430.kuix.de:9430
  Probably: HTTP/1.1 200 OK
  Probably: HTTP/1.1 200 OK
  Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.
  Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.


Test D:
Test D:
  firefox https://kuix.de:9430
  firefox https://test9430.kuix.de:9430
  error page, technical details: Error code: sec_error_untrusted_issuer
  error page, technical details: Error code: sec_error_untrusted_issuer


Test E:
Test E:
  epiphany https://kuix.de:9430
  epiphany https://test9430.kuix.de:9430
  Probably: page loads, right of URL good padlock shown, no error
  Probably: page loads, right of URL good padlock shown, no error
  Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol
  Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol
Line 213: Line 213:


Test C:
Test C:
  curl --head https://kuix.de:9431
  curl --head https://test9431.kuix.de:9431
  curl: (60) Peer's Certificate issuer is not recognized.
  curl: (60) Peer's Certificate issuer is not recognized.


Test D:
Test D:
  firefox https://kuix.de:9431
  firefox https://test9431.kuix.de:9431
  error page, technical details: Error code: sec_error_untrusted_issuer
  error page, technical details: Error code: sec_error_untrusted_issuer


Test E:
Test E:
  epiphany https://kuix.de:9431
  epiphany https://test9431.kuix.de:9431
  right of url bar shows open padlock with orange exclamation symbol
  right of url bar shows open padlock with orange exclamation symbol



Revision as of 22:56, 11 March 2013

Instructions for testing the Features/SharedSystemCertificates feature of Fedora 19.

Commands used for testing system behaviour

In order to test the feature, we will modify the system, and it will change how tools behave.

Preparation

Install the required tools

yum install gnutls-utils nss-tools openssl firefox epiphany java-1.7.0-openjdk-devel

Download a few files that we'll use later:

cd /tmp/
wget http://kuix.de/fedora/p11-kit-f19/ca.pem
wget http://kuix.de/fedora/p11-kit-f19/test9430.java
wget http://kuix.de/fedora/p11-kit-f19/test9431.java
wget http://kuix.de/fedora/p11-kit-f19/testfed443.java
javac test9430.java
javac test9431.java
javac testfed443.java

Test commands that will be used later

This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration.

Test (A): Testing with OpenSSL command line tool:

openssl s_client -verify 5 -connect HOST:PORT

Test (B): Testing with GnuTLS command line tool:

gnutls-cli -p PORT HOST

Test (C): Testing curl curl command line tool:

curl --head  https://HOST:PORT

Test (D): Testing with Firefox (uses NSS), open:

https://HOST:PORT

Test (E): Testing with Epiphany (uses GnuTLS), open:

https://HOST:PORT

Test (F): For Java we'll use our compiled minimal programs.

{TODO: Test application-specific trust overrides in Firefox}

Default system settings

Test that common web sites are trusted

Status: Ready to be tested

HOST: fedoraproject.org PORT: 443

Test A:

openssl s_client -verify 5 -connect fedoraproject.org:443
Verify return code: 0 (ok)

Test B:

gnutls-cli -p 443 fedoraproject.org
Status: The certificate is trusted. 

Test C:

curl --head https://fedoraproject.org:443
HTTP/1.1 200 OK

Test D:

firefox https://fedoraproject.org:443
page loads, left of URL good padlock shown, no error

Test E:

epiphany https://fedoraproject.org:443
page loads, right of URL good padlock shown, no error

Test F:

java testfed443
connection worked

Confirm that experimental site gets rejected

Status: Ready to be tested

HOST: kuix.de PORT: 9431

Test A:

openssl s_client -verify 5 -connect kuix.de:9431
Verify return code: [not zero] (certificate not trusted)

Test B:

gnutls-cli -p 9431 kuix.de
Status: The certificate is NOT trusted. The certificate issuer is unknown.

Test C:

curl --head https://test9431.kuix.de:9431
curl: (60) Peer's Certificate issuer is not recognized.

Test D:

firefox https://test9431.kuix.de:9431
error page, technical details: Error code: sec_error_untrusted_issuer

Test E:

epiphany https://test9431.kuix.de:9431
right of url bar shows open padlock with orange exclamation symbol

Test F:

test9431
many error messages

Test with locally added CA

Status: Ready to be tested

How to add a systemwide CA

As the root user:

cp /tmp/ca.pem /etc/pki/ca-trust/source/
update-ca-trust

Confirm that experimental site is trusted now

Test A:

openssl s_client -verify 5 -connect kuix.de:9431
Verify return code: 0 (ok)

Test B:

gnutls-cli -p 9431 kuix.de
Status: The certificate is trusted. 

Test C:

curl --head https://test9431.kuix.de:9431
HTTP/1.1 200 OK

Test D:

firefox https://test9431.kuix.de:9431
page loads, left of URL good padlock shown, no error

Test E:

epiphany https://test9431.kuix.de:9431
page loads, right of URL good padlock shown, no error

Test F:

test9431
connection worked

Test that blacklisted CAs work

Status: Only testable in applications based on NSS

TODO: In later versions of Fedora, all crypto toolkits should be enhanced to honor globally distrusted (blacklisted) CA certificates.

(1) Test CA 
|
\
|\---- (2) Distrusted Test SUB CA
|
\
 \-----(3) Good SUB CA

In our earlier tests, we have added (1) to the systemwide configuration.

The server at kuix.de:9431 uses a certificate that was issued by (3).

A root CA (1) might have issued a SUB CA that got compromised at a later time, and operating systems might add configuration to distrust it. The default system configuration that we use in Fedora 19 knows about (2) and actively distrusts it. Now that we have told the system to trust (1), we can verify if the software respects the configuration to correctly distrust (2). For this purpose, we use an additional test site at kuix.de:9430, which uses a certificate issued by (2).

Confirm that blacklisted site gets rejected

HOST: kuix.de PORT: 9430

The only correctly behaving application in this section is Firefox.

Test A:

openssl s_client -verify 5 -connect kuix.de:9430
Probably: Verify return code: 0 (ok)
Ideally (later) should be: Verify return code: [not zero] (certificate not trusted)

Test B:

gnutls-cli -p 9430 kuix.de
Probably: Status: The certificate is trusted. 
Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown.

Test C:

curl --head https://test9430.kuix.de:9430
Probably: HTTP/1.1 200 OK
Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.

Test D:

firefox https://test9430.kuix.de:9430
error page, technical details: Error code: sec_error_untrusted_issuer

Test E:

epiphany https://test9430.kuix.de:9430
Probably: page loads, right of URL good padlock shown, no error
Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol

Test F:

java test9430
Probably: connection worked
Ideally (later) should be: error messages

Removing an added CA

Status: Ready to be tested

How to remove a systemwide CA that was added earlier

As the root user:

rm -f /etc/pki/ca-trust/source/ca.pem
update-ca-trust

Confirm that experimental site is no longer trusted

Status: Ready to be tested

HOST: kuix.de PORT: 9431

Test A:

openssl s_client -verify 5 -connect kuix.de:9431
Verify return code: [not zero] (certificate not trusted)

Test B:

gnutls-cli -p 9431 kuix.de
Status: The certificate is NOT trusted. The certificate issuer is unknown.

Test C:

curl --head https://test9431.kuix.de:9431
curl: (60) Peer's Certificate issuer is not recognized.

Test D:

firefox https://test9431.kuix.de:9431
error page, technical details: Error code: sec_error_untrusted_issuer

Test E:

epiphany https://test9431.kuix.de:9431
right of url bar shows open padlock with orange exclamation symbol

Test F:

test9431
many error messages

Overriding trust of one of the built-in CAs

Status: Cannot test yet. Priorities not yet working correctly

... get the pem ... use openssl -addreject ... add to source directory ...