From Fedora Project Wiki
(Created page with "Instructions for testing the Features/SharedSystemCertificates feature of Fedora 19. =Commands used for testing system behaviour= In order to test the feature, we will mo...")
 
No edit summary
Line 12: Line 12:
  wget http://kuix.de/fedora/p11-kit-f19/ca.pem
  wget http://kuix.de/fedora/p11-kit-f19/ca.pem


==Test commands==
==Test commands that will be used later==
This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration.
This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration.


Testing with OpenSSL command line tool:
Test (A): Testing with OpenSSL command line tool:
openssl s_client -verify 5 -connect HOST:PORT
 
Test (B): Testing with GnuTLS command line tool:
gnutls-cli -p PORT HOST
 
Test (C): Testing curl curl command line tool:
curl --head  https://HOST:PORT
 
Test (D): Testing with Firefox (uses NSS), open:
https://HOST:PORT
 
Test (E): Testing with Epiphany (uses GnuTLS), open:
https://HOST:PORT
 
=Default envionment
 
==Test that common web sites are trusted==
HOST: fedoraproject.org
PORT: 443
 
Test A:
openssl s_client -verify 5 -connect fedoraproject.org:443
Verify return code: 0 (ok)
 
Test B:
gnutls-cli -p 443 fedoraproject.org
Status: The certificate is trusted.
 
Test C:
curl --head https://fedoraproject.org:443
HTTP/1.1 200 OK
 
Test D:
firefox https://fedoraproject.org:443
page loads, left of URL good padlock shown, no error
 
Test E:
epiphany https://fedoraproject.org:443
page loads, right of URL good padlock shown, no error
 
 
==Confirm that experimental site gets rejected==
 
Test A:
  openssl s_client -verify 5 -connect kuix.de:9431
  openssl s_client -verify 5 -connect kuix.de:9431
  openssl s_client -verify 5 -connect kuix.de:9430
  Verify return code: [not zero] (certificate not trusted)


Testing with GnuTLS command line tool:
Test B:  
  gnutls-cli -p 9431 kuix.de
  gnutls-cli -p 9431 kuix.de
  gnutls-cli -p 9430 kuix.de
  Status: The certificate is NOT trusted. The certificate issuer is unknown.


Testing with Epiphany (uses GnuTLS), open:
Test C:
  https://kuix.de:9431
  curl --head https://kuix.de:9431
  https://kuix.de:9430
  curl: (60) Peer's Certificate issuer is not recognized.


Testing with Firefox (uses NSS), open:
Test D:
  https://kuix.de:9431
  firefox https://kuix.de:9431
  https://kuix.de:9430
  error page, technical details: Error code: sec_error_untrusted_issuer


Test E:
epiphany https://kuix.de:9431
right of url bar shows open padlock with orange exclamation symbol
=Test with locally added CA=
==How to add a systemwide CA==


=Adding a CA=
Status: Ready to be tested
Status: Ready to be tested
==Confirm that experimental site is trusted==
Test A:
openssl s_client -verify 5 -connect kuix.de:9431
Verify return code: 0 (ok)
Test B:
gnutls-cli -p 9431 kuix.de
Status: The certificate is trusted.
Test C:
curl --head https://kuix.de:9431
HTTP/1.1 200 OK
Test D:
firefox https://kuix.de:9431
page loads, left of URL good padlock shown, no error
Test E:
epiphany https://kuix.de:9431
page loads, right of URL good padlock shown, no error


Test that adding a new root CA certificate works.
Test that adding a new root CA certificate works.

Revision as of 20:57, 11 March 2013

Instructions for testing the Features/SharedSystemCertificates feature of Fedora 19.

Commands used for testing system behaviour

In order to test the feature, we will modify the system, and it will change how tools behave.

Preparation

Install the required tools

yum install gnutls-utils nss-tools openssl firefox epiphany

Download a file that we'll use later:

cd /tmp/
wget http://kuix.de/fedora/p11-kit-f19/ca.pem

Test commands that will be used later

This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration.

Test (A): Testing with OpenSSL command line tool:

openssl s_client -verify 5 -connect HOST:PORT

Test (B): Testing with GnuTLS command line tool:

gnutls-cli -p PORT HOST

Test (C): Testing curl curl command line tool:

curl --head  https://HOST:PORT

Test (D): Testing with Firefox (uses NSS), open:

https://HOST:PORT

Test (E): Testing with Epiphany (uses GnuTLS), open:

https://HOST:PORT

=Default envionment

Test that common web sites are trusted

HOST: fedoraproject.org PORT: 443

Test A:

openssl s_client -verify 5 -connect fedoraproject.org:443
Verify return code: 0 (ok)

Test B:

gnutls-cli -p 443 fedoraproject.org
Status: The certificate is trusted. 

Test C:

curl --head https://fedoraproject.org:443
HTTP/1.1 200 OK

Test D:

firefox https://fedoraproject.org:443
page loads, left of URL good padlock shown, no error

Test E:

epiphany https://fedoraproject.org:443
page loads, right of URL good padlock shown, no error


Confirm that experimental site gets rejected

Test A:

openssl s_client -verify 5 -connect kuix.de:9431
Verify return code: [not zero] (certificate not trusted)

Test B:

gnutls-cli -p 9431 kuix.de
Status: The certificate is NOT trusted. The certificate issuer is unknown.

Test C:

curl --head https://kuix.de:9431
curl: (60) Peer's Certificate issuer is not recognized.

Test D:

firefox https://kuix.de:9431
error page, technical details: Error code: sec_error_untrusted_issuer

Test E:

epiphany https://kuix.de:9431
right of url bar shows open padlock with orange exclamation symbol


Test with locally added CA

How to add a systemwide CA

Status: Ready to be tested

Confirm that experimental site is trusted

Test A:

openssl s_client -verify 5 -connect kuix.de:9431
Verify return code: 0 (ok)

Test B:

gnutls-cli -p 9431 kuix.de
Status: The certificate is trusted. 

Test C:

curl --head https://kuix.de:9431
HTTP/1.1 200 OK

Test D:

firefox https://kuix.de:9431
page loads, left of URL good padlock shown, no error

Test E:

epiphany https://kuix.de:9431
page loads, right of URL good padlock shown, no error


Test that adding a new root CA certificate works.

Test that blacklisted CAs work

Status: Only works in applications based on NSS.


Removing an added CA

Status: Ready to be tested

Advanced testing

Overriding trust of one of the built-in CAs

Status: Cannot test yet. Priorities not yet implemented

... get the pem ... use openssl -addreject ... add to source directory ...