No edit summary |
No edit summary |
||
| Line 30: | Line 30: | ||
https://HOST:PORT | https://HOST:PORT | ||
=Default | =Default system settings= | ||
==Test that common web sites are trusted== | ==Test that common web sites are trusted== | ||
Status: Ready to be tested | |||
HOST: fedoraproject.org | HOST: fedoraproject.org | ||
PORT: 443 | PORT: 443 | ||
| Line 58: | Line 60: | ||
==Confirm that experimental site gets rejected== | ==Confirm that experimental site gets rejected== | ||
Status: Ready to be tested | |||
HOST: kuix.de | |||
PORT: 9431 | |||
Test A: | Test A: | ||
| Line 78: | Line 84: | ||
epiphany https://kuix.de:9431 | epiphany https://kuix.de:9431 | ||
right of url bar shows open padlock with orange exclamation symbol | right of url bar shows open padlock with orange exclamation symbol | ||
=Test with locally added CA= | =Test with locally added CA= | ||
Status: Ready to be tested | |||
==How to add a systemwide CA== | ==How to add a systemwide CA== | ||
As the root user: | |||
cp /tmp/ca.pem /etc/pki/ca-trust/source/ | |||
update-ca-trust | |||
==Confirm that experimental site is trusted now== | |||
==Confirm that experimental site is trusted== | |||
Test A: | Test A: | ||
| Line 110: | Line 117: | ||
Test that | ==Test that blacklisted CAs work== | ||
Status: Only testable in applications based on NSS | |||
TODO: In later versions of Fedora, all crypto toolkits should be enhanced to honor globally distrusted (blacklisted) CA certificates. | |||
(1) Test CA | |||
| | |||
\ | |||
|\---- (2) Distrusted Test SUB CA | |||
| | |||
| | |||
\-----(3) Good SUB CA | |||
In our earlier tests, we have added (1) to the systemwide configuration. | |||
The server at kuix.de:9431 uses a certificate that was issued by (3). | |||
Sometimes a root CA like (1) issues an SUB CA that got compromised, and the system configuration might distrust it. The default system configuration that we use in Fedora 19 knows about (2) and actively distrusts it. Now that we have told the system to trust (1), we can verify if the software respects the configuration to correctly distrust (2). For this purpose, we use an additional test site at kuix.de:9430, which uses a certificate issued by (2). | |||
==Confirm that blacklisted site gets rejected== | |||
HOST: kuix.de | |||
PORT: 9430 | |||
The only correctly behaving application in this section is Firefox. | |||
Test A: | |||
openssl s_client -verify 5 -connect kuix.de:9430 | |||
Probably: Verify return code: 0 (ok) | |||
Ideally (later) should be: Verify return code: [not zero] (certificate not trusted) | |||
Test B: | |||
gnutls-cli -p 9430 kuix.de | |||
Probably: Status: The certificate is trusted. | |||
Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown. | |||
Test C: | |||
curl --head https://kuix.de:9430 | |||
Probably: HTTP/1.1 200 OK | |||
Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized. | |||
Test D: | |||
firefox https://kuix.de:9430 | |||
error page, technical details: Error code: sec_error_untrusted_issuer | |||
Test E: | |||
epiphany https://kuix.de:9430 | |||
Probably: | |||
Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol | |||
=Removing an added CA= | =Removing an added CA= | ||
Status: Ready to be tested | Status: Ready to be tested | ||
=Overriding trust of one of the built-in CAs= | =Overriding trust of one of the built-in CAs= | ||
Revision as of 21:16, 11 March 2013
Instructions for testing the Features/SharedSystemCertificates feature of Fedora 19.
Commands used for testing system behaviour
In order to test the feature, we will modify the system, and it will change how tools behave.
Preparation
Install the required tools
yum install gnutls-utils nss-tools openssl firefox epiphany
Download a file that we'll use later:
cd /tmp/ wget http://kuix.de/fedora/p11-kit-f19/ca.pem
Test commands that will be used later
This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration.
Test (A): Testing with OpenSSL command line tool:
openssl s_client -verify 5 -connect HOST:PORT
Test (B): Testing with GnuTLS command line tool:
gnutls-cli -p PORT HOST
Test (C): Testing curl curl command line tool:
curl --head https://HOST:PORT
Test (D): Testing with Firefox (uses NSS), open:
https://HOST:PORT
Test (E): Testing with Epiphany (uses GnuTLS), open:
https://HOST:PORT
Default system settings
Test that common web sites are trusted
Status: Ready to be tested
HOST: fedoraproject.org PORT: 443
Test A:
openssl s_client -verify 5 -connect fedoraproject.org:443 Verify return code: 0 (ok)
Test B:
gnutls-cli -p 443 fedoraproject.org Status: The certificate is trusted.
Test C:
curl --head https://fedoraproject.org:443 HTTP/1.1 200 OK
Test D:
firefox https://fedoraproject.org:443 page loads, left of URL good padlock shown, no error
Test E:
epiphany https://fedoraproject.org:443 page loads, right of URL good padlock shown, no error
Confirm that experimental site gets rejected
Status: Ready to be tested
HOST: kuix.de PORT: 9431
Test A:
openssl s_client -verify 5 -connect kuix.de:9431 Verify return code: [not zero] (certificate not trusted)
Test B:
gnutls-cli -p 9431 kuix.de Status: The certificate is NOT trusted. The certificate issuer is unknown.
Test C:
curl --head https://kuix.de:9431 curl: (60) Peer's Certificate issuer is not recognized.
Test D:
firefox https://kuix.de:9431 error page, technical details: Error code: sec_error_untrusted_issuer
Test E:
epiphany https://kuix.de:9431 right of url bar shows open padlock with orange exclamation symbol
Test with locally added CA
Status: Ready to be tested
How to add a systemwide CA
As the root user:
cp /tmp/ca.pem /etc/pki/ca-trust/source/ update-ca-trust
Confirm that experimental site is trusted now
Test A:
openssl s_client -verify 5 -connect kuix.de:9431 Verify return code: 0 (ok)
Test B:
gnutls-cli -p 9431 kuix.de Status: The certificate is trusted.
Test C:
curl --head https://kuix.de:9431 HTTP/1.1 200 OK
Test D:
firefox https://kuix.de:9431 page loads, left of URL good padlock shown, no error
Test E:
epiphany https://kuix.de:9431 page loads, right of URL good padlock shown, no error
Test that blacklisted CAs work
Status: Only testable in applications based on NSS TODO: In later versions of Fedora, all crypto toolkits should be enhanced to honor globally distrusted (blacklisted) CA certificates.
(1) Test CA | \ |\---- (2) Distrusted Test SUB CA | | \-----(3) Good SUB CA
In our earlier tests, we have added (1) to the systemwide configuration.
The server at kuix.de:9431 uses a certificate that was issued by (3).
Sometimes a root CA like (1) issues an SUB CA that got compromised, and the system configuration might distrust it. The default system configuration that we use in Fedora 19 knows about (2) and actively distrusts it. Now that we have told the system to trust (1), we can verify if the software respects the configuration to correctly distrust (2). For this purpose, we use an additional test site at kuix.de:9430, which uses a certificate issued by (2).
Confirm that blacklisted site gets rejected
HOST: kuix.de PORT: 9430
The only correctly behaving application in this section is Firefox.
Test A:
openssl s_client -verify 5 -connect kuix.de:9430 Probably: Verify return code: 0 (ok) Ideally (later) should be: Verify return code: [not zero] (certificate not trusted)
Test B:
gnutls-cli -p 9430 kuix.de Probably: Status: The certificate is trusted. Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown.
Test C:
curl --head https://kuix.de:9430 Probably: HTTP/1.1 200 OK Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.
Test D:
firefox https://kuix.de:9430 error page, technical details: Error code: sec_error_untrusted_issuer
Test E:
epiphany https://kuix.de:9430 Probably: Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol
Removing an added CA
Status: Ready to be tested
Overriding trust of one of the built-in CAs
Status: Cannot test yet. Priorities not yet implemented
... get the pem ... use openssl -addreject ... add to source directory ...