Contact
E-mail
E-mail
Quicksearch
Blog Administration
Powered by
Monday, July 6. 2009
Working around KDE bug 162485
If you want to add support for third party certificates in your KDE 4 desktop, you'll have to work around this languishing bug. KDE for some arrogant reason includes its own certificate authority bundle located in /usr/share/kde*/apps/kssl/ca-bundle.crt, but doesn't provide the tools needed to modify the collection as a normal user. Therefore, as root, move this file out of the way, and link to your distribution's certificate bundle (typically in /etc/ssl/certs). This will let you use your distribution's SSL tools for managing SSL, rather than waiting for KDE to implement these important features. Changes to the distro's CA bundle will require restarting the applications using SSL/TLS before they can see the new root certificate authorities, but that's better than having to click through nag screens for certificates that should be trusted. We still have the security problem of not being able to verify certificates in any app but Konqueror, but the above fix removes the need to do that if you have a Root CA.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
You can also override this on a per-user basis by creating the directory ~/.kde4/share/apps/kssl and copying the ca-bundle.crt over. Add your CA roots to this file and get the added advantage that a) for NFS mounted homes it works everywhere and b) updates will not overwrite this modification.
What sucks is that the per-user override mechanism (checks ~/.kde4... first) exists, so there is little reason for us to be banging our heads on this bug for as long as we have been doing. It simply doesn't make sense.
Note also that 4.3.0's "Forever" functionality when an unknown certificate signer is presented is also broken now, so you'll be getting those nag screens each and every time it happens unless you fix the root cert bundle. This applies to Kmail as well as Konq.
Thanks for the pointer to the base ca-bundle, though. Before I had this bit of information, I had been pulling my hair out trying to correct this brokenness.
What sucks is that the per-user override mechanism (checks ~/.kde4... first) exists, so there is little reason for us to be banging our heads on this bug for as long as we have been doing. It simply doesn't make sense.
Note also that 4.3.0's "Forever" functionality when an unknown certificate signer is presented is also broken now, so you'll be getting those nag screens each and every time it happens unless you fix the root cert bundle. This applies to Kmail as well as Konq.
Thanks for the pointer to the base ca-bundle, though. Before I had this bit of information, I had been pulling my hair out trying to correct this brokenness.
Thanks! Finally I could add the StartSSL root cert. (https://www.startssl.com/certs/ca.pem), and the nagging I have had on every KMail startup is gone. I really hope bug 162485 gets resolved soon...
Btw., on Gentoo with USE="-kdeprefix" the system wide ca-bundle.crt to which one should append trusted certificates can be found under /usr/share/apps/kssl/ (although doing it on a per-user basis as described in comment #1 is probably a better way for most people, thanks Chronos).
Btw., on Gentoo with USE="-kdeprefix" the system wide ca-bundle.crt to which one should append trusted certificates can be found under /usr/share/apps/kssl/ (although doing it on a per-user basis as described in comment #1 is probably a better way for most people, thanks Chronos).
Calendar
|
May '13 | |||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 | ||
