GNOME Bugzilla – Bug 721180
Epiphany cannot form a valid chain of trust to certain websites
Last modified: 2013-12-30 01:07:26 UTC
Using either gnutls-cli or a Qualys SSL test [1], I am able to connect securely to both wiki.ubuntu.com and www.libreoffice.org. However, Epiphany is unable to do the same, reporting "The signing certificate authority is not known." This will be really serious once Bug #542454 and Bug #708847 are addressed. I guess this is probably a bug in gio, or glib-networking, or maybe WebKit, but I'll try here first. [1] https://www.ssllabs.com/ssltest/analyze.html
Narrowing this down a bit: [mcatanzaro@victory-road libsoup]$ examples/get https://www.libreoffice.org /: 6 Unacceptable TLS certificate (0x1) 0x1 is G_TLS_CERTIFICATE_UNKNOWN_CA ("The signing certificate authority is not known."). gnutls says the cert is fine. So I guess the bug is in either libsoup or (more likely?) glib-networking. [mcatanzaro@victory-road ~]$ gnutls-cli libreoffice.org Processed 149 CA certificate(s). Resolving 'libreoffice.org'... Connecting to '176.9.154.106:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `description=40dt5DwlCkd8lVq7,C=DE,ST=Berlin,L=Berlin,O=The Document Foundation,CN=www.libreoffice.org,EMAIL=hostmaster@documentfoundation.org', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-04-06 23:26:40 UTC', expires `2014-04-08 03:03:13 UTC', SHA-1 fingerprint `ef71b4e4a63f7da9c556ce0e0eaa1441d72d846f' Public Key Id: 4bd12427da096fe1489eaeabd82b984f4762477b Public key's random art: +--[ RSA 2048]----+ | o + o | | o O O | | . = B . | | . o . . | | o + E S | | . + o . . | |... o . | |++ . . | |.o=o. | +-----------------+ - Certificate[1] info: - subject `description=40dt5DwlCkd8lVq7,C=DE,ST=Berlin,L=Berlin,O=The Document Foundation,CN=www.libreoffice.org,EMAIL=hostmaster@documentfoundation.org', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-04-06 23:26:40 UTC', expires `2014-04-08 03:03:13 UTC', SHA-1 fingerprint `ef71b4e4a63f7da9c556ce0e0eaa1441d72d846f' - Certificate[2] info: - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2007-10-24 20:57:09 UTC', expires `2017-10-24 20:57:09 UTC', SHA-1 fingerprint `a1ace4046b6e332232b87ecfb6f37a0763720147' - Certificate[3] info: - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1 fingerprint `3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f' - Status: The certificate is trusted. - Description: (TLS1.2-PKIX)-(RSA)-(AES-128-GCM)-(AEAD) - Session ID: B2:B3:51:C5:09:B6:6E:2C:32:FD:F7:F8:D8:0C:3D:5B:49:7A:29:C7:DA:EB:47:8B:E2:87:AA:C0:D0:76:AE:FC - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-GCM - MAC: AEAD - Compression: NULL - Handshake was completed
I feel more than a little dumb for posting that no fewer than ten minutes after looking at Bug #702998. wiki.ubuntu.com suffers from Bug #683266. I guess both those sites are technically broken, so I'll use the INVALID resolution.