Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#12004 closed bug (fixed)

WebPositive SSL not implemented correctly

Reported by: haiqu Owned by: pulkomandy
Priority: normal Milestone: Unscheduled
Component: Applications/WebPositive Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: yes Platform: All

Description

I'm getting SSL warnings in WebPositive. Most easily tested is buying an item on ebay then going to Paypal, at which time the warning pops up saying that the certificate can't be confirmed.

I also have to log in to Paypal twice, which is different behaviour to any other OS I've used.

Attachments (1)

patch (4.2 KB) - added by markh 3 years ago.
Patch to allow invalid certificates for the session

Download all attachments as: .zip

Change History (13)

comment:1 Changed 4 years ago by pulkomandy

SSL warnings are because Web+ can't chech the certificates. Make sure you have the ca_root_certificates package installed and up to date.

There are problems, however:

  • No way to add an exception when there is an unvalidated certificate. Not even "for this session".
  • The message asking what to do does not have all the information from the certificate

comment:2 Changed 4 years ago by markh

Is it supposed to complain at bitbucket.org? I posted on the main haiku mailing list about this, but haven't got a response yet. I checked and according to the HaikuDepot app I have the ca_root_certificates package installed.

If this is expected at the moment, is there a timeline to improve the current functionality? It is making WebPostive nearly unusable on my machine.

comment:3 Changed 4 years ago by pulkomandy

We may have a problem with the ca_root_certificates package currently shipped. IIRC it's an old version but new ones changed format a bit and create compatibility problem. We'll have to check with curl and Mozilla what's the status on that and update the package again.

comment:4 Changed 4 years ago by markh

Is there an ETA on a fix for this? I'm wearing out my touchpad here.

Changed 3 years ago by markh

Attachment: patch added

Patch to allow invalid certificates for the session

comment:5 Changed 3 years ago by markh

Has a Patch: set

comment:6 Changed 3 years ago by markh

As discussed, this is a preliminary patch to allow it to ignore an invalid certificate for a session when you click "Continue". Also adds some extra information about the certificate in the alert. Open issues:

  • Checks on issuer instead of on the whole certificate, but need to be able to copy a BCertificate.
  • Needs to be moved to the network side.
  • Needs an option to permanently allow it (store it on disk).
  • Needs a nice GUI to examine the whole certificate

comment:7 Changed 3 years ago by pulkomandy

Applied a modified version of the above patch in hrev49790. Now, clicking "continue" will add a temporary exception and allow you to continue browsing (for the session, it will ask again next time Web+ is restarted).

To fix the issue at the root level (for common sites like paypal and bitbucket), we need to update OpenSSL to 1.0.2 and then update the ca_root_certificates to the latest version (which the new OpenSSL version can handle properly).

I will have a look but building Haiku doesn't work on my machine, which makes testing this difficult.

comment:8 Changed 3 years ago by pulkomandy

Resolution: fixed
Status: newclosed

Fixed in hrev49800.

comment:9 Changed 3 years ago by markh

Thank you very much for fixing it. WebPositive is now much more usable. It did break NetSurf though it seems (launching it gives error: Could not open "NetSurf" (Missing symbol: SSL_CTX_set_alpn_protos). Should I create a separate issue for that?

comment:10 Changed 3 years ago by pulkomandy

You need the latest Openssl package (1.0.2) for things to work. It doesn't install automatically because there was a mistake in the versionning of the 1.0.0 packages. Download this and put it in /system/packages: http://packages.haiku-os.org/haikuports/master/hpkg/openssl-1.0.2d-4-x86_gcc2.hpkg This should fix NetSurf, wget, curl, pkgman, subversion.

comment:11 Changed 3 years ago by ttcoder

I have the same error in hrev49814 with HaikuDepot, wget, pkgman ..etc. Web+ does run and is able to download files, so I downloaded http://packages.haiku-os.org/haikuports/master/hpkg/openssl-1.0.2d-4-x86_gcc2.hpkg as indicated above. pkgman won't run, so I moved the file by hand so that the package_daemon would handle it, but won't install. Syslog error:

KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Could not resolve symbol 'SSL_CTX_set_alpn_protos'
KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Troubles relocating: Symbol not found
KERN: runtime_loader: /boot/system/bin/wget: Could not resolve symbol 'TLSv1_2_client_method'
KERN: runtime_loader: /boot/system/bin/wget: Troubles relocating: Symbol not found
KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Could not resolve symbol 'SSL_CTX_set_alpn_protos'
KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Troubles relocating: Symbol not found
KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Could not resolve symbol 'SSL_CTX_set_alpn_protos'
KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Troubles relocating: Symbol not found

I'm guessing this is just an attempt at accessing/syncing the online repos, and the package_daemon could be "forced" to accept the package with some tweaking.. Will update this post later

Edit: Fixed :-) Indeed it was just a matter of booting to a spare partition, swapping the openssl packages, deleting the "activated-pkg's" text file and booting back to PM.

Let's maybe keep those work-arounds in mind in case tickets are filed with similar symptoms in the next couple days...

Last edited 3 years ago by ttcoder (previous) (diff)

comment:12 Changed 3 years ago by markh

Thanks ttcoder. I used your steps, but without booting into a spare partition. After a reboot it was all working again.

Note: See TracTickets for help on using tickets.