(Created page with "Instructions for testing the Features/SharedSystemCertificates feature of Fedora 19. =Commands used for testing system behaviour= In order to test the feature, we will mo...") |
No edit summary |
||
Line 12: | Line 12: | ||
wget http://kuix.de/fedora/p11-kit-f19/ca.pem | wget http://kuix.de/fedora/p11-kit-f19/ca.pem | ||
==Test commands== | ==Test commands that will be used later== | ||
This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration. | This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration. | ||
Testing with OpenSSL command line tool: | Test (A): Testing with OpenSSL command line tool: | ||
openssl s_client -verify 5 -connect HOST:PORT | |||
Test (B): Testing with GnuTLS command line tool: | |||
gnutls-cli -p PORT HOST | |||
Test (C): Testing curl curl command line tool: | |||
curl --head https://HOST:PORT | |||
Test (D): Testing with Firefox (uses NSS), open: | |||
https://HOST:PORT | |||
Test (E): Testing with Epiphany (uses GnuTLS), open: | |||
https://HOST:PORT | |||
=Default envionment | |||
==Test that common web sites are trusted== | |||
HOST: fedoraproject.org | |||
PORT: 443 | |||
Test A: | |||
openssl s_client -verify 5 -connect fedoraproject.org:443 | |||
Verify return code: 0 (ok) | |||
Test B: | |||
gnutls-cli -p 443 fedoraproject.org | |||
Status: The certificate is trusted. | |||
Test C: | |||
curl --head https://fedoraproject.org:443 | |||
HTTP/1.1 200 OK | |||
Test D: | |||
firefox https://fedoraproject.org:443 | |||
page loads, left of URL good padlock shown, no error | |||
Test E: | |||
epiphany https://fedoraproject.org:443 | |||
page loads, right of URL good padlock shown, no error | |||
==Confirm that experimental site gets rejected== | |||
Test A: | |||
openssl s_client -verify 5 -connect kuix.de:9431 | openssl s_client -verify 5 -connect kuix.de:9431 | ||
Verify return code: [not zero] (certificate not trusted) | |||
Test B: | |||
gnutls-cli -p 9431 kuix.de | gnutls-cli -p 9431 kuix.de | ||
Status: The certificate is NOT trusted. The certificate issuer is unknown. | |||
Test C: | |||
https://kuix.de:9431 | curl --head https://kuix.de:9431 | ||
curl: (60) Peer's Certificate issuer is not recognized. | |||
Test D: | |||
https://kuix.de:9431 | firefox https://kuix.de:9431 | ||
error page, technical details: Error code: sec_error_untrusted_issuer | |||
Test E: | |||
epiphany https://kuix.de:9431 | |||
right of url bar shows open padlock with orange exclamation symbol | |||
=Test with locally added CA= | |||
==How to add a systemwide CA== | |||
Status: Ready to be tested | Status: Ready to be tested | ||
==Confirm that experimental site is trusted== | |||
Test A: | |||
openssl s_client -verify 5 -connect kuix.de:9431 | |||
Verify return code: 0 (ok) | |||
Test B: | |||
gnutls-cli -p 9431 kuix.de | |||
Status: The certificate is trusted. | |||
Test C: | |||
curl --head https://kuix.de:9431 | |||
HTTP/1.1 200 OK | |||
Test D: | |||
firefox https://kuix.de:9431 | |||
page loads, left of URL good padlock shown, no error | |||
Test E: | |||
epiphany https://kuix.de:9431 | |||
page loads, right of URL good padlock shown, no error | |||
Test that adding a new root CA certificate works. | Test that adding a new root CA certificate works. |
Revision as of 20:57, 11 March 2013
Instructions for testing the Features/SharedSystemCertificates feature of Fedora 19.
Commands used for testing system behaviour
In order to test the feature, we will modify the system, and it will change how tools behave.
Preparation
Install the required tools
yum install gnutls-utils nss-tools openssl firefox epiphany
Download a file that we'll use later:
cd /tmp/ wget http://kuix.de/fedora/p11-kit-f19/ca.pem
Test commands that will be used later
This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration.
Test (A): Testing with OpenSSL command line tool:
openssl s_client -verify 5 -connect HOST:PORT
Test (B): Testing with GnuTLS command line tool:
gnutls-cli -p PORT HOST
Test (C): Testing curl curl command line tool:
curl --head https://HOST:PORT
Test (D): Testing with Firefox (uses NSS), open:
https://HOST:PORT
Test (E): Testing with Epiphany (uses GnuTLS), open:
https://HOST:PORT
=Default envionment
Test that common web sites are trusted
HOST: fedoraproject.org PORT: 443
Test A:
openssl s_client -verify 5 -connect fedoraproject.org:443 Verify return code: 0 (ok)
Test B:
gnutls-cli -p 443 fedoraproject.org Status: The certificate is trusted.
Test C:
curl --head https://fedoraproject.org:443 HTTP/1.1 200 OK
Test D:
firefox https://fedoraproject.org:443 page loads, left of URL good padlock shown, no error
Test E:
epiphany https://fedoraproject.org:443 page loads, right of URL good padlock shown, no error
Confirm that experimental site gets rejected
Test A:
openssl s_client -verify 5 -connect kuix.de:9431 Verify return code: [not zero] (certificate not trusted)
Test B:
gnutls-cli -p 9431 kuix.de Status: The certificate is NOT trusted. The certificate issuer is unknown.
Test C:
curl --head https://kuix.de:9431 curl: (60) Peer's Certificate issuer is not recognized.
Test D:
firefox https://kuix.de:9431 error page, technical details: Error code: sec_error_untrusted_issuer
Test E:
epiphany https://kuix.de:9431 right of url bar shows open padlock with orange exclamation symbol
Test with locally added CA
How to add a systemwide CA
Status: Ready to be tested
Confirm that experimental site is trusted
Test A:
openssl s_client -verify 5 -connect kuix.de:9431 Verify return code: 0 (ok)
Test B:
gnutls-cli -p 9431 kuix.de Status: The certificate is trusted.
Test C:
curl --head https://kuix.de:9431 HTTP/1.1 200 OK
Test D:
firefox https://kuix.de:9431 page loads, left of URL good padlock shown, no error
Test E:
epiphany https://kuix.de:9431 page loads, right of URL good padlock shown, no error
Test that adding a new root CA certificate works.
Test that blacklisted CAs work
Status: Only works in applications based on NSS.
Removing an added CA
Status: Ready to be tested
Advanced testing
Overriding trust of one of the built-in CAs
Status: Cannot test yet. Priorities not yet implemented
... get the pem ... use openssl -addreject ... add to source directory ...