From Fedora Project Wiki

Description

This test verifies that an untrusted certificate without an anchor in the system certificate anchor list is rejected as expected.

Setup

  1. Make sure to complete the prerequisites before starting this test.
  2. This test case connects to test9431.kuix.de on port 9431

How to test

  1. Verify that openssl rejects untrusted certificates:
    $ openssl s_client -verify 5 -connect test9431.kuix.de:9431
    You should see: Verify return code: 27 (certificate not trutsed)
  2. Check that gnutls rejects untrusted certificates:
    $ gnutls-cli -p 9431 test9431.kuix.de
    You should see: Status: The certificate is NOT trusted. The certificate issuer is unknown.
  3. Check that curl reject untrusted certificates:
    $ curl --head https://test9431.kuix.de:9431
    You should see: curl: (60) Peer's Certificate issuer is not recognized.
  4. Firefox should reject untrusted certificates:
    $ firefox https://test9431.kuix.de:9431
    The page should not load.
    There should be an error page stating: "This Connection is Untrusted".
    Click on the Technical Details to see: "Error code: sec_error_unknown_issuer"
    There should be no padlock icon.
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  5. Epiphany should reject untrusted certificates:
    $ epiphany https://test9431.kuix.de:9431
    Right of the URL bar should have an unlocked icon, with an exclamation mark.
    Clicking on the padlock should show a window which says "The identity of this website has not been verified"
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  6. Java should reject untrusted certificates:
    $ java -classpath ~/certificate-trust-test-cases TestCertTrust https://test9431.kuix.de:9431/
    This uses the java test program that you compiled in the prerequisites.
    The output should say: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Expected Results

While executing each of the above commands, check the output matches what's noted for each command.

None of the above commands, with the exception of epiphany, should load the target page in question.



Troubleshooting

  • No notes at this time