#12004 closed bug (fixed)
WebPositive SSL not implemented correctly
Reported by: | haiqu | Owned by: | pulkomandy |
---|---|---|---|
Priority: | normal | Milestone: | Unscheduled |
Component: | Applications/WebPositive | Version: | R1/Development |
Keywords: | Cc: | ||
Blocked By: | Blocking: | ||
Platform: | All |
Description
I'm getting SSL warnings in WebPositive. Most easily tested is buying an item on ebay then going to Paypal, at which time the warning pops up saying that the certificate can't be confirmed.
I also have to log in to Paypal twice, which is different behaviour to any other OS I've used.
Attachments (1)
Change History (13)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Is it supposed to complain at bitbucket.org? I posted on the main haiku mailing list about this, but haven't got a response yet. I checked and according to the HaikuDepot app I have the ca_root_certificates package installed.
If this is expected at the moment, is there a timeline to improve the current functionality? It is making WebPostive nearly unusable on my machine.
comment:3 by , 9 years ago
We may have a problem with the ca_root_certificates package currently shipped. IIRC it's an old version but new ones changed format a bit and create compatibility problem. We'll have to check with curl and Mozilla what's the status on that and update the package again.
comment:5 by , 9 years ago
patch: | 0 → 1 |
---|
comment:6 by , 9 years ago
As discussed, this is a preliminary patch to allow it to ignore an invalid certificate for a session when you click "Continue". Also adds some extra information about the certificate in the alert. Open issues:
- Checks on issuer instead of on the whole certificate, but need to be able to copy a BCertificate.
- Needs to be moved to the network side.
- Needs an option to permanently allow it (store it on disk).
- Needs a nice GUI to examine the whole certificate
comment:7 by , 9 years ago
Applied a modified version of the above patch in hrev49790. Now, clicking "continue" will add a temporary exception and allow you to continue browsing (for the session, it will ask again next time Web+ is restarted).
To fix the issue at the root level (for common sites like paypal and bitbucket), we need to update OpenSSL to 1.0.2 and then update the ca_root_certificates to the latest version (which the new OpenSSL version can handle properly).
I will have a look but building Haiku doesn't work on my machine, which makes testing this difficult.
comment:9 by , 9 years ago
Thank you very much for fixing it. WebPositive is now much more usable. It did break NetSurf though it seems (launching it gives error: Could not open "NetSurf" (Missing symbol: SSL_CTX_set_alpn_protos). Should I create a separate issue for that?
comment:10 by , 9 years ago
You need the latest Openssl package (1.0.2) for things to work. It doesn't install automatically because there was a mistake in the versionning of the 1.0.0 packages. Download this and put it in /system/packages: http://packages.haiku-os.org/haikuports/master/hpkg/openssl-1.0.2d-4-x86_gcc2.hpkg This should fix NetSurf, wget, curl, pkgman, subversion.
comment:11 by , 9 years ago
I have the same error in hrev49814 with HaikuDepot, wget, pkgman ..etc. Web+ does run and is able to download files, so I downloaded http://packages.haiku-os.org/haikuports/master/hpkg/openssl-1.0.2d-4-x86_gcc2.hpkg as indicated above. pkgman won't run, so I moved the file by hand so that the package_daemon would handle it, but won't install. Syslog error:
KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Could not resolve symbol 'SSL_CTX_set_alpn_protos' KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Troubles relocating: Symbol not found KERN: runtime_loader: /boot/system/bin/wget: Could not resolve symbol 'TLSv1_2_client_method' KERN: runtime_loader: /boot/system/bin/wget: Troubles relocating: Symbol not found KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Could not resolve symbol 'SSL_CTX_set_alpn_protos' KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Troubles relocating: Symbol not found KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Could not resolve symbol 'SSL_CTX_set_alpn_protos' KERN: runtime_loader: /boot/system/lib/libcurl.so.4.4.0: Troubles relocating: Symbol not found
I'm guessing this is just an attempt at accessing/syncing the online repos, and the package_daemon could be "forced" to accept the package with some tweaking.. Will update this post later
Edit: Fixed :-) Indeed it was just a matter of booting to a spare partition, swapping the openssl packages, deleting the "activated-pkg's" text file and booting back to PM.
Let's maybe keep those work-arounds in mind in case tickets are filed with similar symptoms in the next couple days...
comment:12 by , 9 years ago
Thanks ttcoder. I used your steps, but without booting into a spare partition. After a reboot it was all working again.
SSL warnings are because Web+ can't chech the certificates. Make sure you have the ca_root_certificates package installed and up to date.
There are problems, however: