Instructions for testing the Features/SharedSystemCertificates feature of Fedora 19.
Commands used for testing system behaviour
In order to test the feature, we will modify the system, and it will change how tools behave.
Preparation
Please use a fresh Firefox profile (firefox -P) prior to a each new test cycle. This is to make sure that changes made to CA trust settings from earlier tests will be cleaned, and that you will get the exact behaviour as described on this page. An alternative to creating a fresh profile, quit Firefox and run
rm ~/.mozilla/firefox/*/*.db ls ~/.mozilla/firefox/*/*.db # expected: no such file or directory
Install the required tools
yum install gnutls-utils nss-tools openssl firefox epiphany java-1.7.0-openjdk-devel
Install one file that we'll use for the entire time during our tests:
cd /etc/pki/ca-trust/source/ sudo wget http://kuix.de/fedora/p11-kit-f19/distrust-test-sub.p11-kit
Download a few files and tools that we'll use later:
cd /tmp/ wget http://kuix.de/fedora/p11-kit-f19/ca.pem wget http://kuix.de/fedora/p11-kit-f19/testing-default-distrust.p11-kit wget http://kuix.de/fedora/p11-kit-f19/test9430.java wget http://kuix.de/fedora/p11-kit-f19/test9431.java wget http://kuix.de/fedora/p11-kit-f19/testbz443.java javac test9430.java javac test9431.java javac testbz443.java
Test commands that will be used later
This section lists the commands that we will use to see the current system behaviour, and that we will re-run times whenever we modify the system configuration.
Test (A): Testing with OpenSSL command line tool:
openssl s_client -verify 5 -connect HOST:PORT
Test (B): Testing with GnuTLS command line tool:
gnutls-cli -p PORT HOST
Test (C): Testing curl curl command line tool:
curl --head https://HOST:PORT
Test (D): Testing with Firefox (uses NSS), open:
https://HOST:PORT
Test (E): Testing with Epiphany (uses GnuTLS), open:
https://HOST:PORT
Test (F): For Java we'll use our compiled minimal programs.
{TODO: Test application-specific trust overrides in Firefox}
Default system settings
Test that a regular web site is trusted
Status: Ready to be tested
HOST: bugzilla.redhat.com PORT: 443
Test A:
openssl s_client -verify 5 -connect bugzilla.redhat.com:443 Verify return code: 0 (ok) (press CTRL-C to exit)
Test B:
gnutls-cli -p 443 bugzilla.redhat.com Status: The certificate is trusted. (press CTRL-C to exit)
Test C:
curl --head https://bugzilla.redhat.com:443 HTTP/1.1 200 OK
Test D:
firefox https://bugzilla.redhat.com:443 page loads, left of URL good padlock shown, no error
Test E:
epiphany https://bugzilla.redhat.com:443 page loads, right of URL good padlock shown, no error
Test F:
java testbz443 connection worked
Confirm that experimental site gets rejected
Status: Ready to be tested
HOST: test9431.kuix.de PORT: 9431
Test A:
openssl s_client -verify 5 -connect test9431.kuix.de:9431 Verify return code: [not zero] (certificate not trusted) (press CTRL-C to exit)
Test B:
gnutls-cli -p 9431 test9431.kuix.de Status: The certificate is NOT trusted. The certificate issuer is unknown. (press CTRL-C to exit)
Test C:
curl --head https://test9431.kuix.de:9431 curl: (60) Peer's Certificate issuer is not recognized.
Test D:
firefox https://test9431.kuix.de:9431 error page, technical details: Error code: sec_error_untrusted_issuer
Test E:
epiphany https://test9431.kuix.de:9431 right of url bar shows open padlock with orange exclamation symbol
Test F:
java test9431 many error messages
Test with locally added CA
Status: Ready to be tested
How to add a systemwide CA
As the root user:
cp /tmp/ca.pem /etc/pki/ca-trust/source/ update-ca-trust
Confirm that experimental site is trusted now
Test A:
openssl s_client -verify 5 -connect test9431.kuix.de:9431 Verify return code: 0 (ok) (press CTRL-C to exit)
Test B:
gnutls-cli -p 9431 test9431.kuix.de Status: The certificate is trusted. (press CTRL-C to exit)
Test C:
curl --head https://test9431.kuix.de:9431 HTTP/1.1 200 OK
Test D:
firefox https://test9431.kuix.de:9431 page loads, left of URL good padlock shown, no error
Test E:
epiphany https://test9431.kuix.de:9431 page loads, right of URL good padlock shown, no error
Test F:
java test9431 connection worked
Test that blacklisted CAs work
Status: Only testable in applications based on NSS
TODO: In later versions of Fedora, all crypto toolkits should be enhanced to honor globally distrusted (blacklisted) CA certificates.
(1) Test CA | \ |\---- (2) Distrusted Test SUB CA | \ \-----(3) Good SUB CA
In our earlier tests, we have added (1) to the systemwide configuration.
The server at test9431.kuix.de:9431 uses a certificate that was issued by (3).
A root CA (1) might have issued a SUB CA that got compromised at a later time, and operating systems might add configuration to distrust it. The default system configuration that we use in Fedora 19 knows about (2) and actively distrusts it. Now that we have told the system to trust (1), we can verify if the software respects the configuration to correctly distrust (2). For this purpose, we use an additional test site at test9430.kuix.de:9430, which uses a certificate issued by (2).
Confirm that blacklisted site gets rejected
HOST: test9430.kuix.de PORT: 9430
{The only application passing this test correctly is Firefox. Fixing other applications and crypto toolkits to pass this test is outside the scope of this Fedora feature.}
Test A:
openssl s_client -verify 5 -connect test9430.kuix.de:9430 Probably: Verify return code: 0 (ok) Ideally (later) should be: Verify return code: [not zero] (certificate not trusted) (press CTRL-C to exit)
Test B:
gnutls-cli -p 9430 test9430.kuix.de Probably: Status: The certificate is trusted. Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown. (press CTRL-C to exit)
Test C:
curl --head https://test9430.kuix.de:9430 Probably: HTTP/1.1 200 OK Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.
Test D:
firefox https://test9430.kuix.de:9430 error page, technical details: Error code: sec_error_untrusted_issuer
Test E:
epiphany https://test9430.kuix.de:9430 Probably: page loads, right of URL good padlock shown, no error Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol
Test F:
java test9430 Probably: connection worked Ideally (later) should be: error messages
Removing an added CA
Status: Ready to be tested
How to remove a systemwide CA that was added earlier
As the root user:
rm -f /etc/pki/ca-trust/source/ca.pem update-ca-trust
Confirm that experimental site is no longer trusted
Status: Ready to be tested
HOST: test9431.kuix.de PORT: 9431
Test A:
openssl s_client -verify 5 -connect test9431.kuix.de:9431 Verify return code: [not zero] (certificate not trusted) (press CTRL-C to exit)
Test B:
gnutls-cli -p 9431 test9431.kuix.de Status: The certificate is NOT trusted. The certificate issuer is unknown. (press CTRL-C to exit)
Test C:
curl --head https://test9431.kuix.de:9431 curl: (60) Peer's Certificate issuer is not recognized.
Test D:
firefox https://test9431.kuix.de:9431 error page, technical details: Error code: sec_error_untrusted_issuer
Test E:
epiphany https://test9431.kuix.de:9431 right of url bar shows open padlock with orange exclamation symbol
Test F:
java test9431 many error messages
Overriding trust of one of the built-in CAs
Status: Ready for testing
We will override the trust of one of the default CAs, and change it to not trusted.
How to distrust a systemwide CA
It requires the use of specially prepared file, which lists the serial number and the issuer name of the distrusted certificate in a special format. We'll use one that has been prepared already.
As the root user:
cp /tmp/testing-default-distrust.p11-kit /etc/pki/ca-trust/source/ update-ca-trust
Confirm that regular site is no longer trusted
HOST: bugzilla.redhat.com PORT: 443
{The only application passing this test correctly is Firefox. Fixing other applications and crypto toolkits to pass this test is outside the scope of this Fedora feature.}
Test A:
openssl s_client -verify 5 -connect bugzilla.redhat.com:443 Probably: Verify return code: 0 (ok) Ideally (later) should be: Verify return code: [not zero] (certificate not trusted) (press CTRL-C to exit)
Test B:
gnutls-cli -p 443 bugzilla.redhat.com Probably: Status: The certificate is trusted. Ideally (later) should be: Status: The certificate is NOT trusted. The certificate issuer is unknown. (press CTRL-C to exit)
Test C:
curl --head https://bugzilla.redhat.com:443 Probably: HTTP/1.1 200 OK Ideally (later) should be: curl: (60) Peer's Certificate issuer is not recognized.
Test D:
firefox https://bugzilla.redhat.com:443 error page, technical details: Error code: sec_error_untrusted_issuer
Test E:
epiphany https://bugzilla.redhat.com:443 Probably: page loads, right of URL good padlock shown, no error Ideally (later) should be: right of url bar shows open padlock with orange exclamation symbol
Test F:
java testbz443 Probably: connection worked Ideally (later) should be: error messages
Undo the distrust of a systemwide CA
We remove the distrust:
rm -f /etc/pki/ca-trust/source/testing-default-distrust.p11-kit update-ca-trust
Now you should repeat (at least) the Firefox test and get the results as described in section "Test that a regular web site is trusted".