From Fedora Project Wiki

Description

This tests removes an additional configured certificate authority anchor that was added to the system, which causes certificates signed by that anchor to be untrusted.

Setup

  1. Make sure to complete the prerequisites before starting this test.
  2. You should run through the Configure Anchor Test Case first.
  3. This test case connects to test9431.kuix.de on port 9431
  4. If firefox, epiphany or other applications are running they must be exited, as they cache information.

How to test

  1. Remove the cetrificate authority file so it is no longer treated as an anchor.
    $ sudo rm /etc/pki/ca-trust/source/anchors/Cert-trust-test-ca.pem
  2. Firefox should recognize the removal:
    Quit firefox completely
    $ firefox https://test9431.kuix.de:9431
    The page should not load.
    There should be an error page stating: "This Connection is Untrusted".
    Click on the Technical Details to see: "Error code: sec_error_unknown_issuer"
    There should be no padlock icon.
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  3. The other tests below require extraction of the system ca-trust compatibility bundles:
    $ sudo update-ca-trust
    This extracts the changed bundles so that gnutls, openssl, and java and so on can make use of them.
    There should be no output from this command.
  4. Verify that openssl recognizes the removal:
    $ openssl s_client -verify 5 -connect test9431.kuix.de:9431
    You should see: Verify return code: 27 (certificate not trutsed)
  5. Check that gnutls recognizes the removal:
    $ gnutls-cli -p 9431 test9431.kuix.de
    You should see: Status: The certificate is NOT trusted. The certificate issuer is unknown.
  6. Check that curl recognizes the removal:
    $ curl --head https://test9431.kuix.de:9431
    You should see: curl: (60) Peer's Certificate issuer is not recognized.
  7. Epiphany should recognize the removal:
    $ epiphany https://test9431.kuix.de:9431
    Right of the URL bar should have an unlocked icon, with an exclamation mark.
    Clicking on the padlock should show a window which says "The identity of this website has not been verified"
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  8. Java should recognize the removal:
    $ java -classpath ~/certificate-trust-test-cases TestCertTrust https://test9431.kuix.de:9431/
    This uses the java test program that you compiled in the prerequisites.
    The output should say: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Expected Results

While executing each of the above commands, check the output matches what's noted for each command.

None of the above commands, with the exception of epiphany, should load the target page in question.



Troubleshooting

  • RHBZ #924186: Epiphany and Firefox should be quit completely before testing.
  • RHBZ #924173: For reliable results, make sure to clear the firefox cache, as described in the test prerequisites.

Notes

  • In Fedora 19 it is necessary to run the update-ca-trust command. In future releases of Fedora, it is our goal to remove this step.