Features/SharedSystemCertificates:Testing

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Test that blacklisted CAs work)
(Verify editing CA trust in Firefox still works as expected)
 
(42 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
 +
{{admon/warning | In construction | This page is being moved into QA test cases [https://fedoraproject.org/wiki/Category:Certificate_Trust_Test_Cases available here]. This is preparation for the [[Test_Day:2013-03-28_Shared_System_Certificates|Test day of this feature]]}}
 +
 
Instructions for testing the [[Features/SharedSystemCertificates]] feature of Fedora 19.
 
Instructions for testing the [[Features/SharedSystemCertificates]] feature of Fedora 19.
  
Line 5: Line 8:
  
 
==Preparation==
 
==Preparation==
 +
Please use a fresh Firefox profile (firefox -P) prior to a each new test cycle. This is to make sure that changes made to CA trust settings from earlier tests will be cleaned, and that you will get the exact behaviour as described on this page.
 +
{{admon/warning | Dangerous. Not possible to undo! | This command will delete all personal keys and passwords that are stored in Firefox. Only use this command on a test user account! }}
 +
An alternative to creating a fresh profile, quit Firefox and run
 +
rm ~/.mozilla/firefox/*/*.db
 +
ls ~/.mozilla/firefox/*/*.db # expected: no such file or directory
 +
 
Install the required tools
 
Install the required tools
  yum install gnutls-utils nss-tools openssl firefox epiphany
+
  sudo yum install gnutls-utils nss-tools openssl firefox epiphany java-1.7.0-openjdk-devel
  
Download a file that we'll use later:
+
Install one file that we'll use for the entire time during our tests:
 +
cd /etc/pki/ca-trust/source/
 +
sudo wget http://kuix.de/fedora/p11-kit-f19/distrust-test-sub.p11-kit
 +
 
 +
Download a few files and tools that we'll use later:
 
  cd /tmp/
 
  cd /tmp/
 
  wget http://kuix.de/fedora/p11-kit-f19/ca.pem
 
  wget http://kuix.de/fedora/p11-kit-f19/ca.pem
 +
wget http://kuix.de/fedora/p11-kit-f19/testing-default-distrust.p11-kit
 +
wget http://kuix.de/fedora/p11-kit-f19/test9430.java
 +
wget http://kuix.de/fedora/p11-kit-f19/test9431.java
 +
wget http://kuix.de/fedora/p11-kit-f19/testbz443.java
 +
javac test9430.java
 +
javac test9431.java
 +
javac testbz443.java
 +
 +
==Ensure you have sudo permission==
 +
Because we are configuring the default system behaviour, the user account that you will use for testing needs permission to use the sudo command. You can test using
 +
sudo bash
 +
 +
If it works, good. If not, you must login to your system as the root user, edit file /etc/sudoers and add the following line. Replace the word myself with the name of your user account.
 +
myself    ALL=(ALL) ALL
 +
 +
==Learn how to clear the Firefox cache==
 +
Because Firefox caches (remembers) recently viewed web sites, you might sometimes get unexpected results. A web site might still be cached, and shown by Firefox, even if the root CA used by the site has been reconfigured and is no longer trusted.
 +
 +
To enforce that Firefox will reload the site, it is best to clear the Firefox cache. From the Firefox menu, select Tools, Clear Recent History. Time Range: Everything. Open the details, and make sure that both Cache and Active Logins are selected. Click Clear Now and restart Firefox.
  
 
==Test commands that will be used later==
 
==Test commands that will be used later==
Line 29: Line 61:
 
Test (E): Testing with Epiphany (uses GnuTLS), open:
 
Test (E): Testing with Epiphany (uses GnuTLS), open:
 
  https://HOST:PORT
 
  https://HOST:PORT
 +
 +
Test (F): For Java we'll use our compiled minimal programs.
  
 
=Default system settings=
 
=Default system settings=
  
==Test that common web sites are trusted==
+
==Test that a regular web site is trusted==
 
Status: Ready to be tested
 
Status: Ready to be tested
  
HOST: fedoraproject.org
+
HOST: bugzilla.redhat.com
 
PORT: 443
 
PORT: 443
  
 
Test A:
 
Test A:
  openssl s_client -verify 5 -connect fedoraproject.org:443
+
  openssl s_client -verify 5 -connect bugzilla.redhat.com:443
 
  Verify return code: 0 (ok)
 
  Verify return code: 0 (ok)
 +
(press CTRL-C to exit)
  
 
Test B:  
 
Test B:  
  gnutls-cli -p 443 fedoraproject.org
+
  gnutls-cli -p 443 bugzilla.redhat.com
 
  Status: The certificate is trusted.  
 
  Status: The certificate is trusted.  
 +
(press CTRL-C to exit)
  
 
Test C:
 
Test C:
  curl --head https://fedoraproject.org:443
+
  curl --head https://bugzilla.redhat.com:443
 
  HTTP/1.1 200 OK
 
  HTTP/1.1 200 OK
  
 
Test D:
 
Test D:
  firefox https://fedoraproject.org:443
+
  firefox https://bugzilla.redhat.com:443
 
  page loads, left of URL good padlock shown, no error
 
  page loads, left of URL good padlock shown, no error
  
 
Test E:
 
Test E:
  epiphany https://fedoraproject.org:443
+
  epiphany https://bugzilla.redhat.com:443
 
  page loads, right of URL good padlock shown, no error
 
  page loads, right of URL good padlock shown, no error
 +
 +
Test F:
 +
java testbz443
 +
connection worked
  
 
==Confirm that experimental site gets rejected==
 
==Confirm that experimental site gets rejected==
 
Status: Ready to be tested
 
Status: Ready to be tested
  
HOST: kuix.de
+
HOST: test9431.kuix.de
 
PORT: 9431
 
PORT: 9431
  
 
Test A:
 
Test A:
  openssl s_client -verify 5 -connect kuix.de:9431
+
  openssl s_client -verify 5 -connect test9431.kuix.de:9431
 
  Verify return code: [not zero] (certificate not trusted)
 
  Verify return code: [not zero] (certificate not trusted)
 +
(press CTRL-C to exit)
  
 
Test B:  
 
Test B:  
  gnutls-cli -p 9431 kuix.de
+
  gnutls-cli -p 9431 test9431.kuix.de
 
  Status: The certificate is NOT trusted. The certificate issuer is unknown.
 
  Status: The certificate is NOT trusted. The certificate issuer is unknown.
 +
(press CTRL-C to exit)
  
 
Test C:
 
Test C:
  curl --head https://kuix.de:9431
+
  curl --head https://test9431.kuix.de:9431
 
  curl: (60) Peer's Certificate issuer is not recognized.
 
  curl: (60) Peer's Certificate issuer is not recognized.
  
 
Test D:
 
Test D:
  firefox https://kuix.de:9431
+
  firefox https://test9431.kuix.de:9431
 
  error page, technical details: Error code: sec_error_untrusted_issuer
 
  error page, technical details: Error code: sec_error_untrusted_issuer
  
 
Test E:
 
Test E:
  epiphany https://kuix.de:9431
+
  epiphany https://test9431.kuix.de:9431
 
  right of url bar shows open padlock with orange exclamation symbol
 
  right of url bar shows open padlock with orange exclamation symbol
 +
 +
Test F:
 +
java test9431
 +
many error messages
  
 
=Test with locally added CA=
 
=Test with locally added CA=
Line 88: Line 134:
  
 
==How to add a systemwide CA==
 
==How to add a systemwide CA==
As the root user:
+
  sudo cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/
  cp /tmp/ca.pem /etc/pki/ca-trust/source/
+
  sudo update-ca-trust
  update-ca-trust
+
  
 
==Confirm that experimental site is trusted now==
 
==Confirm that experimental site is trusted now==
  
 
Test A:
 
Test A:
  openssl s_client -verify 5 -connect kuix.de:9431
+
  openssl s_client -verify 5 -connect test9431.kuix.de:9431
 
  Verify return code: 0 (ok)
 
  Verify return code: 0 (ok)
 +
(press CTRL-C to exit)
  
 
Test B:  
 
Test B:  
  gnutls-cli -p 9431 kuix.de
+
  gnutls-cli -p 9431 test9431.kuix.de
 
  Status: The certificate is trusted.  
 
  Status: The certificate is trusted.  
 +
(press CTRL-C to exit)
  
 
Test C:
 
Test C:
  curl --head https://kuix.de:9431
+
  curl --head https://test9431.kuix.de:9431
 
  HTTP/1.1 200 OK
 
  HTTP/1.1 200 OK
  
 
Test D:
 
Test D:
  firefox https://kuix.de:9431
+
  firefox https://test9431.kuix.de:9431
 
  page loads, left of URL good padlock shown, no error
 
  page loads, left of URL good padlock shown, no error
  
 
Test E:
 
Test E:
  epiphany https://kuix.de:9431
+
  epiphany https://test9431.kuix.de:9431
 
  page loads, right of URL good padlock shown, no error
 
  page loads, right of URL good padlock shown, no error
 +
 +
Test F:
 +
java test9431
 +
connection worked
  
 
==Test that blacklisted CAs work==
 
==Test that blacklisted CAs work==
Line 129: Line 180:
 
In our earlier tests, we have added (1) to the systemwide configuration.
 
In our earlier tests, we have added (1) to the systemwide configuration.
  
The server at kuix.de:9431 uses a certificate that was issued by (3).
+
The server at test9431.kuix.de:9431 uses a certificate that was issued by (3).
  
A root CA (1) might have issued a SUB CA that got compromised at a later time, and operating systems might add configuration to distrust it. The default system configuration that we use in Fedora 19 knows about (2) and actively distrusts it. Now that we have told the system to trust (1), we can verify if the software respects the configuration to correctly distrust (2). For this purpose, we use an additional test site at kuix.de:9430, which uses a certificate issued by (2).
+
A root CA (1) might have issued a SUB CA that got compromised at a later time, and operating systems might add configuration to distrust it. The default system configuration that we use in Fedora 19 knows about (2) and actively distrusts it. Now that we have told the system to trust (1), we can verify if the software respects the configuration to correctly distrust (2). For this purpose, we use an additional test site at test9430.kuix.de:9430, which uses a certificate issued by (2).
  
 
==Confirm that blacklisted site gets rejected==
 
==Confirm that blacklisted site gets rejected==
HOST: kuix.de
+
HOST: test9430.kuix.de
 
PORT: 9430
 
PORT: 9430
  
The only correctly behaving application in this section is Firefox.
+
<span style="background-color:lightblue;">{The only application passing this test correctly is Firefox. Fixing other applications and crypto toolkits to pass this test is outside the scope of this Fedora feature.}</span>
  
 
Test A:
 
Test A:
  openssl s_client -verify 5 -connect kuix.de:9430
+
  openssl s_client -verify 5 -connect test9430.kuix.de:9430
 
  Probably: Verify return code: 0 (ok)
 
  Probably: Verify return code: 0 (ok)
 
  Ideally (later) should be: Verify return code: [not zero] (certificate not trusted)
 
  Ideally (later) should be: Verify return code: [not zero] (certificate not trusted)
 +
(press CTRL-C to exit)
  
Test B:  
+
Test B:
  gnutls-cli -p 9430 kuix.de
+
  gnutls-cli -p 9430 test9430.kuix.de
 
  Probably: Status: The certificate is trusted.  
 
  Probably: Status: The certificate is trusted.  
 
  Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown.
 
  Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown.
 +
(press CTRL-C to exit)
  
 
Test C:
 
Test C:
  curl --head https://kuix.de:9430
+
  curl --head https://test9430.kuix.de:9430
 
  Probably: HTTP/1.1 200 OK
 
  Probably: HTTP/1.1 200 OK
 
  Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.
 
  Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.
  
 
Test D:
 
Test D:
  firefox https://kuix.de:9430
+
  firefox https://test9430.kuix.de:9430
 
  error page, technical details: Error code: sec_error_untrusted_issuer
 
  error page, technical details: Error code: sec_error_untrusted_issuer
  
 
Test E:
 
Test E:
  epiphany https://kuix.de:9430
+
  epiphany https://test9430.kuix.de:9430
  Probably:  
+
  Probably: page loads, right of URL good padlock shown, no error
 
  Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol
 
  Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol
 +
 +
Test F:
 +
java test9430
 +
Probably: connection worked
 +
Ideally (later) should be: error messages
  
 
=Removing an added CA=
 
=Removing an added CA=
Line 167: Line 225:
  
 
==How to remove a systemwide CA that was added earlier==
 
==How to remove a systemwide CA that was added earlier==
As the root user:
+
  sudo rm -f /etc/pki/ca-trust/source/anchors/ca.pem
  rm -f /etc/pki/ca-trust/source/ca.pem
+
  sudo update-ca-trust
  update-ca-trust
+
  
 
==Confirm that experimental site is no longer trusted==
 
==Confirm that experimental site is no longer trusted==
 
Status: Ready to be tested
 
Status: Ready to be tested
  
HOST: kuix.de
+
HOST: test9431.kuix.de
 
PORT: 9431
 
PORT: 9431
  
 
Test A:
 
Test A:
  openssl s_client -verify 5 -connect kuix.de:9431
+
  openssl s_client -verify 5 -connect test9431.kuix.de:9431
 
  Verify return code: [not zero] (certificate not trusted)
 
  Verify return code: [not zero] (certificate not trusted)
 +
(press CTRL-C to exit)
  
 
Test B:  
 
Test B:  
  gnutls-cli -p 9431 kuix.de
+
  gnutls-cli -p 9431 test9431.kuix.de
 
  Status: The certificate is NOT trusted. The certificate issuer is unknown.
 
  Status: The certificate is NOT trusted. The certificate issuer is unknown.
 +
(press CTRL-C to exit)
  
 
Test C:
 
Test C:
  curl --head https://kuix.de:9431
+
  curl --head https://test9431.kuix.de:9431
 
  curl: (60) Peer's Certificate issuer is not recognized.
 
  curl: (60) Peer's Certificate issuer is not recognized.
  
 
Test D:
 
Test D:
  firefox https://kuix.de:9431
+
  firefox https://test9431.kuix.de:9431
 
  error page, technical details: Error code: sec_error_untrusted_issuer
 
  error page, technical details: Error code: sec_error_untrusted_issuer
  
 
Test E:
 
Test E:
  epiphany https://kuix.de:9431
+
  epiphany https://test9431.kuix.de:9431
 
  right of url bar shows open padlock with orange exclamation symbol
 
  right of url bar shows open padlock with orange exclamation symbol
 +
 +
Test F:
 +
java test9431
 +
many error messages
  
 
=Overriding trust of one of the built-in CAs=
 
=Overriding trust of one of the built-in CAs=
Status: Cannot test yet. Priorities not yet working correctly
+
Status: Ready for testing
 +
 
 +
We will override the trust of one of the default CAs, and change it to not trusted.
 +
 
 +
==How to distrust a systemwide CA==
 +
It requires the use of specially prepared file, which lists the serial number and the issuer name of the distrusted certificate in a special format. We'll use one that has been prepared already.
 +
 
 +
sudo cp /tmp/testing-default-distrust.p11-kit /etc/pki/ca-trust/source/
 +
sudo update-ca-trust
 +
 
 +
==Confirm that regular site is no longer trusted==
 +
HOST: bugzilla.redhat.com
 +
PORT: 443
 +
 
 +
<span style="background-color:lightblue;">{The only application passing this test correctly is Firefox. Fixing other applications and crypto toolkits to pass this test is outside the scope of this Fedora feature.}</span>
 +
 
 +
Test A:
 +
openssl s_client -verify 5 -connect bugzilla.redhat.com:443
 +
Probably: Verify return code: 0 (ok)
 +
Ideally (later) should be: Verify return code: [not zero] (certificate not trusted)
 +
(press CTRL-C to exit)
 +
 
 +
Test B:
 +
gnutls-cli -p 443 bugzilla.redhat.com
 +
Probably: Status: The certificate is trusted.
 +
Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown.
 +
(press CTRL-C to exit)
 +
 
 +
Test C:
 +
curl --head https://bugzilla.redhat.com:443
 +
Probably: HTTP/1.1 200 OK
 +
Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.
 +
 
 +
Test D:
 +
firefox https://bugzilla.redhat.com:443
 +
error page, technical details: Error code: sec_error_untrusted_issuer
 +
 
 +
Test E:
 +
epiphany https://bugzilla.redhat.com:443
 +
Probably: page loads, right of URL good padlock shown, no error
 +
Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol
 +
 
 +
Test F:
 +
java testbz443
 +
Probably: connection worked
 +
Ideally (later) should be: error messages
 +
 
 +
==Undo the distrust of a systemwide CA==
 +
We remove the distrust:
 +
rm -f /etc/pki/ca-trust/source/testing-default-distrust.p11-kit
 +
update-ca-trust
 +
 
 +
Now you should repeat (at least) the Firefox test and get the results as described in section "Test that a regular web site is trusted".
 +
 
 +
=Verify editing CA trust in Firefox still works as expected=
 +
Firefox allows to edit and override the default trust of the CAs included with Firefox. The new Fedora feature replaces the component that contains the Firefox default trust (same default contents, different technology). We must make sure that the old functionality still works.
 +
 
 +
Part 1
 +
* open firefox
 +
* erase firefox location bar, copy and paste this address and and hit enter: https://mobile2025.cybertrust.ne.jp/
 +
* expected: page loads, padlock
 +
* use the firefox menu: edit/preferences, advanced/encryption/view certificates
 +
* click the authorities tab
 +
* scroll down to the "Baltimore" heading
 +
* click the "Baltimore CyberTrust Root" line
 +
* click the "edit trust" button
 +
* uncheck (deactivate) the checkbox in front of "this certificate can identify websites"
 +
* OK
 +
* close certificate manager window (you may keep the preferences window open)
 +
* switch to the firefox window, which still shows the web page
 +
* clear the firefox cache (see instructions, in short: tools/clear recent history/everything, ok)
 +
* use a forced reload: hold the shift key on your keyboard and click the round arrow in the firefox url bar
 +
* expected: error page, technical details: sec_error_untrusted_issuer
 +
 
 +
Part 2:
 +
* quit firefox
 +
* start firefox
 +
* go to https://mobile2025.cybertrust.ne.jp/
 +
* expected: still error page
 +
* shift reload
 +
* expected: still error page
  
... get the pem ... use openssl -addreject ... add to source directory ...
+
Part 3
 +
* go to preferences, open certificate manager
 +
* scroll to baltimore, click the "Baltimore CyberTrust Root" line
 +
* click the "edit trust" button, check (activate) "can identify websites"
 +
* OK, close cert manager
 +
* back to firefox browser windows, reload
 +
* exected: page loads again

Latest revision as of 00:16, 28 March 2013

Warning (medium size).png
In construction
This page is being moved into QA test cases available here. This is preparation for the Test day of this feature

Instructions for testing the Features/SharedSystemCertificates feature of Fedora 19.

Contents

[edit] Commands used for testing system behaviour

In order to test the feature, we will modify the system, and it will change how tools behave.

[edit] Preparation

Please use a fresh Firefox profile (firefox -P) prior to a each new test cycle. This is to make sure that changes made to CA trust settings from earlier tests will be cleaned, and that you will get the exact behaviour as described on this page.

Warning (medium size).png
Dangerous. Not possible to undo!
This command will delete all personal keys and passwords that are stored in Firefox. Only use this command on a test user account!

An alternative to creating a fresh profile, quit Firefox and run

rm ~/.mozilla/firefox/*/*.db
ls ~/.mozilla/firefox/*/*.db # expected: no such file or directory

Install the required tools

sudo yum install gnutls-utils nss-tools openssl firefox epiphany java-1.7.0-openjdk-devel

Install one file that we'll use for the entire time during our tests:

cd /etc/pki/ca-trust/source/
sudo wget http://kuix.de/fedora/p11-kit-f19/distrust-test-sub.p11-kit

Download a few files and tools that we'll use later:

cd /tmp/
wget http://kuix.de/fedora/p11-kit-f19/ca.pem
wget http://kuix.de/fedora/p11-kit-f19/testing-default-distrust.p11-kit
wget http://kuix.de/fedora/p11-kit-f19/test9430.java
wget http://kuix.de/fedora/p11-kit-f19/test9431.java
wget http://kuix.de/fedora/p11-kit-f19/testbz443.java
javac test9430.java
javac test9431.java
javac testbz443.java

[edit] Ensure you have sudo permission

Because we are configuring the default system behaviour, the user account that you will use for testing needs permission to use the sudo command. You can test using

sudo bash

If it works, good. If not, you must login to your system as the root user, edit file /etc/sudoers and add the following line. Replace the word myself with the name of your user account.

myself     ALL=(ALL)	ALL

[edit] Learn how to clear the Firefox cache

Because Firefox caches (remembers) recently viewed web sites, you might sometimes get unexpected results. A web site might still be cached, and shown by Firefox, even if the root CA used by the site has been reconfigured and is no longer trusted.

To enforce that Firefox will reload the site, it is best to clear the Firefox cache. From the Firefox menu, select Tools, Clear Recent History. Time Range: Everything. Open the details, and make sure that both Cache and Active Logins are selected. Click Clear Now and restart Firefox.

[edit] Test commands that will be used later

This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration.

Test (A): Testing with OpenSSL command line tool:

openssl s_client -verify 5 -connect HOST:PORT

Test (B): Testing with GnuTLS command line tool:

gnutls-cli -p PORT HOST

Test (C): Testing curl curl command line tool:

curl --head  https://HOST:PORT

Test (D): Testing with Firefox (uses NSS), open:

https://HOST:PORT

Test (E): Testing with Epiphany (uses GnuTLS), open:

https://HOST:PORT

Test (F): For Java we'll use our compiled minimal programs.

[edit] Default system settings

[edit] Test that a regular web site is trusted

Status: Ready to be tested

HOST: bugzilla.redhat.com PORT: 443

Test A:

openssl s_client -verify 5 -connect bugzilla.redhat.com:443
Verify return code: 0 (ok)
(press CTRL-C to exit)

Test B:

gnutls-cli -p 443 bugzilla.redhat.com
Status: The certificate is trusted. 
(press CTRL-C to exit)

Test C:

curl --head https://bugzilla.redhat.com:443
HTTP/1.1 200 OK

Test D:

firefox https://bugzilla.redhat.com:443
page loads, left of URL good padlock shown, no error

Test E:

epiphany https://bugzilla.redhat.com:443
page loads, right of URL good padlock shown, no error

Test F:

java testbz443
connection worked

[edit] Confirm that experimental site gets rejected

Status: Ready to be tested

HOST: test9431.kuix.de PORT: 9431

Test A:

openssl s_client -verify 5 -connect test9431.kuix.de:9431
Verify return code: [not zero] (certificate not trusted)
(press CTRL-C to exit)

Test B:

gnutls-cli -p 9431 test9431.kuix.de
Status: The certificate is NOT trusted. The certificate issuer is unknown.
(press CTRL-C to exit)

Test C:

curl --head https://test9431.kuix.de:9431
curl: (60) Peer's Certificate issuer is not recognized.

Test D:

firefox https://test9431.kuix.de:9431
error page, technical details: Error code: sec_error_untrusted_issuer

Test E:

epiphany https://test9431.kuix.de:9431
right of url bar shows open padlock with orange exclamation symbol

Test F:

java test9431
many error messages

[edit] Test with locally added CA

Status: Ready to be tested

[edit] How to add a systemwide CA

sudo cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

[edit] Confirm that experimental site is trusted now

Test A:

openssl s_client -verify 5 -connect test9431.kuix.de:9431
Verify return code: 0 (ok)
(press CTRL-C to exit)

Test B:

gnutls-cli -p 9431 test9431.kuix.de
Status: The certificate is trusted. 
(press CTRL-C to exit)

Test C:

curl --head https://test9431.kuix.de:9431
HTTP/1.1 200 OK

Test D:

firefox https://test9431.kuix.de:9431
page loads, left of URL good padlock shown, no error

Test E:

epiphany https://test9431.kuix.de:9431
page loads, right of URL good padlock shown, no error

Test F:

java test9431
connection worked

[edit] Test that blacklisted CAs work

Status: Only testable in applications based on NSS

TODO: In later versions of Fedora, all crypto toolkits should be enhanced to honor globally distrusted (blacklisted) CA certificates.

(1) Test CA 
|
\
|\---- (2) Distrusted Test SUB CA
|
\
 \-----(3) Good SUB CA

In our earlier tests, we have added (1) to the systemwide configuration.

The server at test9431.kuix.de:9431 uses a certificate that was issued by (3).

A root CA (1) might have issued a SUB CA that got compromised at a later time, and operating systems might add configuration to distrust it. The default system configuration that we use in Fedora 19 knows about (2) and actively distrusts it. Now that we have told the system to trust (1), we can verify if the software respects the configuration to correctly distrust (2). For this purpose, we use an additional test site at test9430.kuix.de:9430, which uses a certificate issued by (2).

[edit] Confirm that blacklisted site gets rejected

HOST: test9430.kuix.de PORT: 9430

{The only application passing this test correctly is Firefox. Fixing other applications and crypto toolkits to pass this test is outside the scope of this Fedora feature.}

Test A:

openssl s_client -verify 5 -connect test9430.kuix.de:9430
Probably: Verify return code: 0 (ok)
Ideally (later) should be: Verify return code: [not zero] (certificate not trusted)
(press CTRL-C to exit)

Test B:

gnutls-cli -p 9430 test9430.kuix.de
Probably: Status: The certificate is trusted. 
Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown.
(press CTRL-C to exit)

Test C:

curl --head https://test9430.kuix.de:9430
Probably: HTTP/1.1 200 OK
Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.

Test D:

firefox https://test9430.kuix.de:9430
error page, technical details: Error code: sec_error_untrusted_issuer

Test E:

epiphany https://test9430.kuix.de:9430
Probably: page loads, right of URL good padlock shown, no error
Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol

Test F:

java test9430
Probably: connection worked
Ideally (later) should be: error messages

[edit] Removing an added CA

Status: Ready to be tested

[edit] How to remove a systemwide CA that was added earlier

sudo rm -f /etc/pki/ca-trust/source/anchors/ca.pem
sudo update-ca-trust

[edit] Confirm that experimental site is no longer trusted

Status: Ready to be tested

HOST: test9431.kuix.de PORT: 9431

Test A:

openssl s_client -verify 5 -connect test9431.kuix.de:9431
Verify return code: [not zero] (certificate not trusted)
(press CTRL-C to exit)

Test B:

gnutls-cli -p 9431 test9431.kuix.de
Status: The certificate is NOT trusted. The certificate issuer is unknown.
(press CTRL-C to exit)

Test C:

curl --head https://test9431.kuix.de:9431
curl: (60) Peer's Certificate issuer is not recognized.

Test D:

firefox https://test9431.kuix.de:9431
error page, technical details: Error code: sec_error_untrusted_issuer

Test E:

epiphany https://test9431.kuix.de:9431
right of url bar shows open padlock with orange exclamation symbol

Test F:

java test9431
many error messages

[edit] Overriding trust of one of the built-in CAs

Status: Ready for testing

We will override the trust of one of the default CAs, and change it to not trusted.

[edit] How to distrust a systemwide CA

It requires the use of specially prepared file, which lists the serial number and the issuer name of the distrusted certificate in a special format. We'll use one that has been prepared already.

sudo cp /tmp/testing-default-distrust.p11-kit /etc/pki/ca-trust/source/
sudo update-ca-trust

[edit] Confirm that regular site is no longer trusted

HOST: bugzilla.redhat.com PORT: 443

{The only application passing this test correctly is Firefox. Fixing other applications and crypto toolkits to pass this test is outside the scope of this Fedora feature.}

Test A:

openssl s_client -verify 5 -connect bugzilla.redhat.com:443
Probably: Verify return code: 0 (ok)
Ideally (later) should be: Verify return code: [not zero] (certificate not trusted)
(press CTRL-C to exit)

Test B:

gnutls-cli -p 443 bugzilla.redhat.com
Probably: Status: The certificate is trusted. 
Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown.
(press CTRL-C to exit)

Test C:

curl --head https://bugzilla.redhat.com:443
Probably: HTTP/1.1 200 OK
Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.

Test D:

firefox https://bugzilla.redhat.com:443
error page, technical details: Error code: sec_error_untrusted_issuer

Test E:

epiphany https://bugzilla.redhat.com:443
Probably: page loads, right of URL good padlock shown, no error
Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol

Test F:

java testbz443
Probably: connection worked
Ideally (later) should be: error messages

[edit] Undo the distrust of a systemwide CA

We remove the distrust:

rm -f /etc/pki/ca-trust/source/testing-default-distrust.p11-kit
update-ca-trust

Now you should repeat (at least) the Firefox test and get the results as described in section "Test that a regular web site is trusted".

[edit] Verify editing CA trust in Firefox still works as expected

Firefox allows to edit and override the default trust of the CAs included with Firefox. The new Fedora feature replaces the component that contains the Firefox default trust (same default contents, different technology). We must make sure that the old functionality still works.

Part 1

  • open firefox
  • erase firefox location bar, copy and paste this address and and hit enter: https://mobile2025.cybertrust.ne.jp/
  • expected: page loads, padlock
  • use the firefox menu: edit/preferences, advanced/encryption/view certificates
  • click the authorities tab
  • scroll down to the "Baltimore" heading
  • click the "Baltimore CyberTrust Root" line
  • click the "edit trust" button
  • uncheck (deactivate) the checkbox in front of "this certificate can identify websites"
  • OK
  • close certificate manager window (you may keep the preferences window open)
  • switch to the firefox window, which still shows the web page
  • clear the firefox cache (see instructions, in short: tools/clear recent history/everything, ok)
  • use a forced reload: hold the shift key on your keyboard and click the round arrow in the firefox url bar
  • expected: error page, technical details: sec_error_untrusted_issuer

Part 2:

Part 3

  • go to preferences, open certificate manager
  • scroll to baltimore, click the "Baltimore CyberTrust Root" line
  • click the "edit trust" button, check (activate) "can identify websites"
  • OK, close cert manager
  • back to firefox browser windows, reload
  • exected: page loads again