Skip to content

Working around KDE bug 162485

KDE Distro If you want to add support for third party certificates in your KDE 4 desktop, you'll have to work around this languishing bug. KDE for some arrogant reason includes its own certificate authority bundle located in /usr/share/kde*/apps/kssl/ca-bundle.crt, but doesn't provide the tools needed to modify the collection as a normal user. Therefore, as root, move this file out of the way, and link to your distribution's certificate bundle (typically in /etc/ssl/certs). This will let you use your distribution's SSL tools for managing SSL, rather than waiting for KDE to implement these important features. Changes to the distro's CA bundle will require restarting the applications using SSL/TLS before they can see the new root certificate authorities, but that's better than having to click through nag screens for certificates that should be trusted. We still have the security problem of not being able to verify certificates in any app but Konqueror, but the above fix removes the need to do that if you have a Root CA.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Chronos on :

You can also override this on a per-user basis by creating the directory ~/.kde4/share/apps/kssl and copying the ca-bundle.crt over. Add your CA roots to this file and get the added advantage that a) for NFS mounted homes it works everywhere and b) updates will not overwrite this modification.

What sucks is that the per-user override mechanism (checks ~/.kde4... first) exists, so there is little reason for us to be banging our heads on this bug for as long as we have been doing. It simply doesn't make sense.

Note also that 4.3.0's "Forever" functionality when an unknown certificate signer is presented is also broken now, so you'll be getting those nag screens each and every time it happens unless you fix the root cert bundle. This applies to Kmail as well as Konq.

Thanks for the pointer to the base ca-bundle, though. Before I had this bit of information, I had been pulling my hair out trying to correct this brokenness.

Patrick on :

Thanks! Finally I could add the StartSSL root cert. (https://www.startssl.com/certs/ca.pem), and the nagging I have had on every KMail startup is gone. I really hope bug 162485 gets resolved soon...

Btw., on Gentoo with USE="-kdeprefix" the system wide ca-bundle.crt to which one should append trusted certificates can be found under /usr/share/apps/kssl/ (although doing it on a per-user basis as described in comment #1 is probably a better way for most people, thanks Chronos).

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options