Bug 1202157 - Certificate validation fails
Summary: Certificate validation fails
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: trustedqsl
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lucian Langa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-16 00:26 UTC by Rick Murphy
Modified: 2015-05-27 18:35 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-05-27 18:35:21 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Patch for tqsllib (525 bytes, patch)
2015-03-16 00:26 UTC, Rick Murphy 		no flags Details | Diff
View All

Description Rick Murphy 2015-03-16 00:26:25 UTC 
Created attachment 1002075 [details]
Patch for tqsllib

Description of problem: 
As of Fedora 21, the OpenSSL libraries have been modified to disable certain signature algorithms. Attempts by tqsl to verify certificates from ARRL LoTW, which are signed using MD5, are rejected by the OpenSSL library bundled with Fedora 21+. 

Unlike the SSL/TLS cipher suite disables, which have a system configuration file that enables DEFAULT/LEGACY/FUTURE ciphersuite selection, there is no configuration file that allows a user to override disabling the use of MD5 signatures. To allow tqsl to work properly, something must set environment variable OPENSSL_ENABLE_MD5_VERIFY.

The attached tqsllib patch will add the required environment variable.


Version-Release number of selected component (if applicable):


How reproducible: Try to import a TQ6 file created by LoTW.


Steps to Reproduce:
1. Start TQSL
2. Callsign Certificate/Load Callsign Certificate From File
3. Select an existing .TQ6 file
4. Observe (poorly) reported "certificate signature failure"

Actual results: "certificate signature failure"

Expected results: "no error"
Comment 1 Richard Shaw 2015-03-17 16:20:07 UTC 
I have submitted a help desk ticket with ARRL LoTW. I don't have high hopes but let's see what they say before implementing the workaround.
Comment 2 Rick Murphy 2015-03-18 02:42:45 UTC 
What can ARRL LoTW do here? Replace every user certificate so that users can work around this incompatibility? That's nonsense.

I've asked already for LoTW to consider moving to a more robust hash algorithm. That's a quite reasonable request, in my opinion. That's fine for the future, but we can't force thousands of users to request renewals just to get certificates that work with Fedora.

I've checked in the workaround to the upstream (see the attached patch). And let the LoTW help desk know to tell people having this issue how to fix it with an addition to their .bashrc. Ingest the patch, and you should be OK.

If the Fedora project chooses to bury the consequences of these poorly informed changes to Fedora, ignoring the impact of disabling what are generally acceptable algorithms, then please rename your libraries to something distribution-specific as what you are shipping is NOT OpenSSL.
Comment 3 Richard Shaw 2015-05-27 18:35:21 UTC 
Forgot to add this bug to the bodhi update, closing.
Note You need to log in before you can comment on or make changes to this bug.