Bug 1471485 - Server certificate not trusted when it should be (private PKI)
Server certificate not trusted when it should be (private PKI)
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: evolution (Show other bugs)
rawhide
i686 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Milan Crha
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-16 06:52 EDT by Radu Rendec
Modified: 2017-07-21 09:59 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-19 04:50:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Test certificates (5.41 KB, application/octet-stream)
2017-07-17 17:29 EDT, Radu Rendec
no flags Details

  None (edit)
Description Radu Rendec 2017-07-16 06:52:44 EDT
Description of problem:

With a private PKI (i.e. the root certificate is not part of the publicly listed CAs), the imaps server certificate is not trusted, even though the root certificate has been manually added to the list of trusted certificates.

The certificate chain is 3 levels deep (root certificate, intermediate CA certificate, server certificate) and the server is configured properly and does present the full chain. This has been tested and confirmed using "openssl s_client -connect mail.mindbit.ro:993 -verify 5 -CAfile RootCA.pem".

The root certificate has been configured in evolution using the gui, at Preferences -> Certificates -> Authorities -> Import and does show up in the authorities list.

Version-Release number of selected component (if applicable):
3.25.3-1.fc27.i686

The above version is for Fedora rawhide as of today, but the problem can be reproduced on a fairly up-to-date Fedora 25 as well (evolution-3.22.6-2.fc25.i686).

How reproducible:
always

Steps to Reproduce:
1. Create private PKI and a 3rd level server certificate as described above.
2. Configure the imaps server and test with "openssl s_client" as described above.
3. Add the root certificate to the trusted authorities list in evolution.
4. Configure the imaps account and connect to server.

Actual results:
Evolution complains that the server certificate is not trusted and presents the standard certificate trust window with 4 buttons (cancel / reject / accept temporarily / accept permanently).

Expected results:
Evolution verifies and accepts server certificate without user intervention.

Additional info:
This looks very similar to Bug #1246492, except that the root CA is not public. This bug points to Bug #1286034 which in turn points to Bug #1250175. The latter looks like a dead-end. It has only one user comment, which mentions that nothing needs to be backported. This suggests that the problem had been fixed upstream and the fix should have been picked up automatically in a newer Fedora release.
Comment 1 Milan Crha 2017-07-17 12:54:17 EDT
Thanks for a bug report. The Camel part (it's libcamel, responsible for mail) uses NSS for certificates, while the connection streams are from GIO (glib), which usually means gnutls. I'm not sure how these two cooperate, even whether they share the same certificate database (they should, of course, but I do not know it for sure).

> The root certificate has been configured in evolution using the gui, at
> Preferences -> Certificates -> Authorities -> Import and does show up in
> the authorities list.

I understood from the comment #0 that for the above you also set the trust level in the GUI. Am I right?

> 1. Create private PKI and a 3rd level server certificate as described above.
> 2. Configure the imaps server and test with "openssl s_client" as described above.

I'm sorry, I'm not that good in these things. Would you mind to elaborate on it, please? I'm able to do the rest of the steps, they are pretty simple, but these two are challenging for me. I'm sorry.
Comment 2 Radu Rendec 2017-07-17 17:29 EDT
Created attachment 1300135 [details]
Test certificates
Comment 3 Radu Rendec 2017-07-17 17:49:07 EDT
> I understood from the comment #0 that for the above you also set the trust
> level in the GUI. Am I right?

Thanks for looking into this. Yes, that's correct. I checked all 3 boxes (trust the certificate to identify websites / email users / software developers).

> I'm sorry, I'm not that good in these things. Would you mind to elaborate on
> it, please? I'm able to do the rest of the steps, they are pretty simple,
> but these two are challenging for me. I'm sorry.

I attached test certificates to the ticket. You need to install dovecot to run the imaps server. The certificates can be installed as follows:

cat localhost.localdomain.cert.pem ca-chain.cert.pem > /etc/pki/dovecot/certs/dovecot.pem
cat localhost.localdomain.key.pem > /etc/pki/dovecot/private/dovecot.pem

Nothing else needs to be configured in dovecot (it works with the default configuration).

The configuration can be verified like this:
openssl s_client -connect localhost:993 -verify 5 -CAfile ca.cert.pem

If everything is configured correctly, you should see this at the bottom of the output:
    Start Time: 1500325726
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

The certificate that needs to be configured in evolution is in ca.cert.pem.
Comment 4 Milan Crha 2017-07-18 10:24:52 EDT
Thanks for all the bits. My openssl output is slightly different, it doesn't have any "Extended master secret" line, but I think it doesn't matter much.

What matters is that Camel (from evolution-data-server) uses glib's GIO, which uses glib-networking, which uses gnutls for certificate things, but evolution itself operates on NSS database (sql:/etc/pki/nssdb, eventually ~/.pki/nssdb).

I'm afraid that whatever changes evolution does in NSS the gnutls has no idea about them. It wasn't the case in the past, when Camel (in evolution-data-server) used NSS for SSL connections as well, but it's gone for a long time now.

Nikos, could you confirm, please, than whatever changes I do in NSS certificate database (in trust for certificate authorities) is not recognized by gnutls, when it verifies that the certificate provided by the connection its trusted or not (including when the trust itself is set to the issuer's root certificate or intermediate certificate), please?

I'm afraid that the only option would be to move away from NSS in Camel and Evolution and switch to gnutls instead. I did try to use CERT_VerifyCertificateNow(), but it keeps returning SECSuccess even when I remove trust for the issuer's certificate, or even if I do not have those issuer certificates (either ca-root or the ca-chain) imported. Verifying one of the imported CA certificates does work, and eventually returns that the certificate is not marked trusted by the user (by PORT_GetError()), but I expected it to work on the certificate returned by the server, not that I'd verify one-by-one in the chain myself. There is very little documentation on the NSS, which doesn't help much too. I have a little test application for NSS which I can share, it can be used with the certificates from comment #2 (pass it the localhost.localdomain certificate and import the CA root certificate by Evolution).
Comment 5 David Woodhouse 2017-07-18 13:08:13 EDT
(In reply to Radu Rendec from comment #0)
> The certificate chain is 3 levels deep (root certificate, intermediate CA
> certificate, server certificate) and the server is configured properly and
> does present the full chain. This has been tested and confirmed using
> "openssl s_client -connect mail.mindbit.ro:993 -verify 5 -CAfile RootCA.pem".
> 
> The root certificate has been configured in evolution using the gui, at
> Preferences -> Certificates -> Authorities -> Import and does show up in the
> authorities list.

Firstly, don't do that.

Install the RootCA.pem "correctly" in in the system-wide trust database, by saving it into /etc/pki/ca-trust/source/anchors/ and running 'update-ca-trust'.

Then check that your above OpenSSL command line works correctly *without* the '-CAfile RootCA.pem' part.

Then I think it'll work from all parts of Evolution too — those which use NSS for their crypto (and hence were using the one you imported into the NSS database through the GUI), and those which don't use NSS (like IMAP, as you discovered).
Comment 6 Radu Rendec 2017-07-18 18:26:32 EDT
(In reply to David Woodhouse from comment #5)
> Install the RootCA.pem "correctly" in in the system-wide trust database, by
> saving it into /etc/pki/ca-trust/source/anchors/ and running
> 'update-ca-trust'.

Yes, that makes sense now that we have established that different parts of
Evolution use different crypto engines.

> Then check that your above OpenSSL command line works correctly *without*
> the '-CAfile RootCA.pem' part.

I haven't checked that, but I expect it would work, since /etc/pki/ca-trust
seems to have been designed specifically to accomplish that (provide a
common trust store for all crypto engines: NSS, OpenSSL, gnutls and even Java.

> Then I think it'll work from all parts of Evolution too — those which use
> NSS for their crypto (and hence were using the one you imported into the NSS
> database through the GUI), and those which don't use NSS (like IMAP, as you
> discovered).

Yes, it does. So this solution is good enough for my particular use case. And
thank you for providing the solution!

On the other hand, I still believe the Evolution GUI is broken:
1. If an application provides a GUI for managing certificates, I expect it to
   apply to all parts of the application that use cryptography.
2. Maybe I cannot install the CA certificate in the system-wide trust store
   (think, for instance, shared systems where one doesn't have root) or I
   simply don't want to (because I just don't want *every* application on
   the system to trust that CA).

For the record, I was able to verify that the Evolution GUI installs the CA
certificate in the NSS trust store, by using "certutil" to retrieve the
certificate from the store. And I assume it's the user (not the system-wide)
trust store, because I explicitly used "-d sql:.pki/nssdb/" on the command
line.
Comment 7 Milan Crha 2017-07-19 04:50:04 EDT
(In reply to Radu Rendec from comment #6)
> On the other hand, I still believe the Evolution GUI is broken:
> 1. If an application provides a GUI for managing certificates, I expect it to
>    apply to all parts of the application that use cryptography.

Right, I agree it's confusing, but once you understand the complexity, then you know it's not that simple to be achieved. What one might want is to have also user-specific trust store and that being managed by all the libraries at once, not one user trust store for nss, one for gnutls and so on.

> 2. Maybe I cannot install the CA certificate in the system-wide trust store
>    (think, for instance, shared systems where one doesn't have root) or I
>    simply don't want to (because I just don't want *every* application on
>    the system to trust that CA).

I agree here as well. It adds to the complexity and it's still the same issue.

> And I assume it's the user (not the system-wide) trust store, because I
> explicitly used "-d sql:.pki/nssdb/" on the command line.

I made similar observation here as well. The update-ca-trust doesn't seem to work with any folder in the user's home.

> Yes, it does. So this solution is good enough for my particular use case.

I'm closing this then. Thanks David for the pointer.
Comment 8 David Woodhouse 2017-07-19 10:21:02 EDT
They're all just PKCS#11 tokens. It isn't that hard to make use of the user's NSS softokn in ~/.pki/nssdb/ from GnuTLS or even OpenSSL. Maybe Evolution should be explicitly doing so when it uses GnuTLS, given that it does use the NSS database for other things.

It probably would have made more sense for Evolution to be using the gnome-keyring token instead, but to migrate to that now is going to be more pain than it's worth.

FWIW I think there are ways to put the additional CA into the system store with a restriction so it isn't blindly trusted for *everything*, but there really ought to be a way for users to add their own, and I don't think we do have that. Nikos?
Comment 9 Nikos Mavrogiannopoulos 2017-07-20 03:22:39 EDT
>Nikos, could you confirm, please, than whatever changes I do in NSS certificate 
>database (in trust for certificate authorities) is not recognized by gnutls,  when
>it verifies that the certificate provided by the connection its trusted or not 
>(including when the trust itself is set to the issuer's root certificate or 
>intermediate certificate), please?

I can confirm that, as well as David's reply of using the system-wide trust store is the way to handle root CA certificates in Fedora in a cross application way.
Comment 10 Milan Crha 2017-07-20 03:50:24 EDT
(In reply to Nikos Mavrogiannopoulos from comment #9)
> I can confirm that, as well as David's reply of using the system-wide trust
> store is the way to handle root CA certificates in Fedora in a cross
> application way.

Thanks. Does it also mean that there is no way for a (GUI) application to change the trust on a user-based level, without touching the root-privileged global trust store? Like in evolution, where NSS is used for the GUI part, but the connection streams use gnutls (or whatever glib-networking picks).

Is there any plan to support this, like to merge things from the global folder and also have a similar shadow-folder in user's home, where only user-specific trust preferences would be saved?
Comment 11 Nikos Mavrogiannopoulos 2017-07-20 06:28:31 EDT
(In reply to Milan Crha from comment #10)
> (In reply to Nikos Mavrogiannopoulos from comment #9)
> > I can confirm that, as well as David's reply of using the system-wide trust
> > store is the way to handle root CA certificates in Fedora in a cross
> > application way.
> 
> Thanks. Does it also mean that there is no way for a (GUI) application to
> change the trust on a user-based level, without touching the root-privileged
> global trust store? Like in evolution, where NSS is used for the GUI part,
> but the connection streams use gnutls (or whatever glib-networking picks).
> 
> Is there any plan to support this, like to merge things from the global
> folder and also have a similar shadow-folder in user's home, where only
> user-specific trust preferences would be saved?

You'll need co-ordination of the underlying components, e.g., provide the certificates in the user trust store for both NSS and glib-networking.
Comment 12 Milan Crha 2017-07-20 07:47:27 EDT
(In reply to Nikos Mavrogiannopoulos from comment #11)
> You'll need co-ordination of the underlying components, e.g., provide the
> certificates in the user trust store for both NSS and glib-networking.

Yes, that's understood. My question was whether there's already any such plan, like with the system store, or whether it's not planned at all right now.
Comment 13 Nikos Mavrogiannopoulos 2017-07-20 08:28:59 EDT
(In reply to Milan Crha from comment #12)
> (In reply to Nikos Mavrogiannopoulos from comment #11)
> > You'll need co-ordination of the underlying components, e.g., provide the
> > certificates in the user trust store for both NSS and glib-networking.
> 
> Yes, that's understood. My question was whether there's already any such
> plan, like with the system store, or whether it's not planned at all right
> now.

There is no plan to bring the NSS store to gnutls or openssl.
Comment 14 David Woodhouse 2017-07-21 08:09:36 EDT
(In reply to Nikos Mavrogiannopoulos from comment #13)
> There is no plan to bring the NSS store to gnutls or openssl.

We can do it for ourselves though — as I said, it's just a PKCS#11 token that we can tell GnuTLS to load as an "extra" one, in addition to the normal set.

The fact that there's no system-wide plan to do this automatically is actually good for us in Evolution, since we can do it for ourselves and not worry about conflicting with such a plan.

Start by doing something like this (change the homedir):

cat > ~/.config/pkcs11/evo-nss.module <<EOF
module: /usr/lib64/libsoftokn3.so
x-init-reserved: configdir='sql:/home/dwmw2/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db'
trust-policy: yes
critical: yes
log-calls:no
enable-in: evolution
EOF

We can look at getting Evolution to do that for itself, later. But I think it should make your user-trusted CAs work, and should also make client certs from the NSS database available (although you'll need more work to be able to actually *use* them).

If we do this, we could kill the final uses of NSS itself from Evolution, which would be nice.
Comment 15 Nikos Mavrogiannopoulos 2017-07-21 08:49:56 EDT
(In reply to David Woodhouse from comment #14)
> (In reply to Nikos Mavrogiannopoulos from comment #13)
> > There is no plan to bring the NSS store to gnutls or openssl.
> 
> We can do it for ourselves though — as I said, it's just a PKCS#11 token
> that we can tell GnuTLS to load as an "extra" one, in addition to the normal
> set.
> The fact that there's no system-wide plan to do this automatically is
> actually good for us in Evolution, since we can do it for ourselves and not
> worry about conflicting with such a plan.

I'm not sure if that's possible. The NSS module is similar but not compatible with the p11-kit trust module (the language gnutls talks).
Comment 16 David Woodhouse 2017-07-21 09:01:17 EDT
Hm? I thought it was *designed* to be compatible, and to allow us to ditch the upstream NSS libnssckbi.so module with its trust roots, and just override it with a symlink to p11-kit-trust.so? 

Admittedly that's compatibility in the opposite direction, but I actually thought it was both.
Comment 17 David Woodhouse 2017-07-21 09:34:08 EDT
Hm...

Test server running with my own CA, CA installed into sql:~/pki/nssdb.
So curl (Fedora 25, built against curl) now likes it. But indeed, gnutls-cli doesn't work...

$ cat ~/.config/pkcs11/modules/nss.module # The file is installed/loaded from the default module p11-kit directory
module: /usr/lib64/libsoftokn3.so
x-init-reserved: configdir='sql:/home/dwmw2/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db'
trust-policy: yes
critical: yes
log-calls:yes

$ gnutls-cli -p 8443 i7.infradead.org
C_Initialize
  IN: pInitArgs = NULL
C_Initialize = CKR_OK
p11-kit: softhsm: module failed to initialize, skipping: Internal error
C_GetInfo
 OUT: pInfo = {
	cryptokiVersion: 2.20
	manufacturerID: "Mozilla Foundation"
	flags: 0
	libraryDescription: "NSS Internal Crypto Services"
	libraryVersion: 3.28
      }
C_GetInfo = CKR_OK
C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x7FFE3C626378 = 48
 OUT: pSlotList = (2) [ SL1, SL2 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL1
 OUT: pInfo = {
	label: "NSS Generic Crypto Services"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 0
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 4.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL1
 OUT: pInfo = {
	slotDescription: "NSS Internal Cryptographic Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
  IN: slotID = SL2
 OUT: pInfo = {
	label: "NSS Certificate DB"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 255
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 0.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL2
 OUT: pInfo = {
	slotDescription: "NSS User Private Key and Certificate Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
Processed 216 CA certificate(s).
Resolving 'i7.infradead.org:8443'...
Connecting to '2001:8b0:10b:1:21e:67ff:fecb:7a92:8443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=i7.infradead.org,O=Default Company Ltd,L=Default City,C=XX', issuer `EMAIL=dwmw2@infradead.org,CN=Infradead test CA,OU=shinybook,O=Infradead test CA,L=Great Bardfield,ST=Essex,C=GB', serial 0x008a8a63da4a27d88f, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-07-21 13:09:14 UTC', expires `2027-07-19 13:09:14 UTC', key-ID `sha256:6a0ee877a5d335b8f31ae62bf25d2f58bec72a9e8d7e8e27e5e3fca65458443e'
	Public Key ID:
		sha1:22790e1812feffde957be6096d51b9e0fe6fbaca
		sha256:6a0ee877a5d335b8f31ae62bf25d2f58bec72a9e8d7e8e27e5e3fca65458443e
	Public key's random art:
		+--[ RSA 2048]----+
		|.                |
		|..              .|
		|...          . o |
		| ..o .      . o .|
		|  ..+ o S    o . |
		|    .= .    + .  |
		|     ..    + +   |
		|      . . ..+oo .|
		|      .o . .E+o=o|
		+-----------------+

C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x7FFE3C624C18 = 48
 OUT: pSlotList = (2) [ SL1, SL2 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL1
 OUT: pInfo = {
	label: "NSS Generic Crypto Services"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 0
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 4.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL1
 OUT: pInfo = {
	slotDescription: "NSS Internal Cryptographic Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
  IN: slotID = SL2
 OUT: pInfo = {
	label: "NSS Certificate DB"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 255
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 0.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL2
 OUT: pInfo = {
	slotDescription: "NSS User Private Key and Certificate Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x7FFE3C624C18 = 48
 OUT: pSlotList = (2) [ SL1, SL2 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL1
 OUT: pInfo = {
	label: "NSS Generic Crypto Services"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 0
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 4.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL1
 OUT: pInfo = {
	slotDescription: "NSS Internal Cryptographic Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
  IN: slotID = SL2
 OUT: pInfo = {
	label: "NSS Certificate DB"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 255
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 0.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL2
 OUT: pInfo = {
	slotDescription: "NSS User Private Key and Certificate Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x7FFE3C624C18 = 48
 OUT: pSlotList = (2) [ SL1, SL2 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL1
 OUT: pInfo = {
	label: "NSS Generic Crypto Services"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 0
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 4.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL1
 OUT: pInfo = {
	slotDescription: "NSS Internal Cryptographic Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
  IN: slotID = SL2
 OUT: pInfo = {
	label: "NSS Certificate DB"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 255
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 0.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL2
 OUT: pInfo = {
	slotDescription: "NSS User Private Key and Certificate Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x7FFE3C624C18 = 48
 OUT: pSlotList = (2) [ SL1, SL2 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL1
 OUT: pInfo = {
	label: "NSS Generic Crypto Services"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 0
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 4.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL1
 OUT: pInfo = {
	slotDescription: "NSS Internal Cryptographic Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
  IN: slotID = SL2
 OUT: pInfo = {
	label: "NSS Certificate DB"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 255
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 0.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL2
 OUT: pInfo = {
	slotDescription: "NSS User Private Key and Certificate Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x7FFE3C624BF8 = 48
 OUT: pSlotList = (2) [ SL1, SL2 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL1
 OUT: pInfo = {
	label: "NSS Generic Crypto Services"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 0
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 4.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL1
 OUT: pInfo = {
	slotDescription: "NSS Internal Cryptographic Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
C_GetTokenInfo
  IN: slotID = SL2
 OUT: pInfo = {
	label: "NSS Certificate DB"
	manufacturerID: "Mozilla Foundation"
	model: "NSS 3"
	serialNumber: "0000000000000000"
	flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
	ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION
	ulSessionCount: 0
	ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION
	ulRwSessionCount: 0
	ulMaxPinLen: 255
	ulMinPinLen: 0
	ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
	ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
	hardwareVersion: 0.0
	firmwareVersion: 0.0
	utcTime: 
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL2
 OUT: pInfo = {
	slotDescription: "NSS User Private Key and Certificate Services"
	manufacturerID: "Mozilla Foundation"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 3.28
	firmwareVersion: 1.0
      }
C_GetSlotInfo = CKR_OK
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
Comment 18 David Woodhouse 2017-07-21 09:45:38 EDT
If I have a version of curl built against GnuTLS it's worse; it doesn't even try. I see no evidence of it even loading the default p11-kit modules.
Comment 19 Nikos Mavrogiannopoulos 2017-07-21 09:58:42 EDT
(In reply to David Woodhouse from comment #16)
> Hm? I thought it was *designed* to be compatible, and to allow us to ditch
> the upstream NSS libnssckbi.so module with its trust roots, and just
> override it with a symlink to p11-kit-trust.so? 

The p11-kit-trust speaks both its own protocol as well as the nss PKCS#11 protocol (which was supposed to be legacy).
Comment 20 Nikos Mavrogiannopoulos 2017-07-21 09:59:46 EDT
(In reply to David Woodhouse from comment #18)
> If I have a version of curl built against GnuTLS it's worse; it doesn't even
> try. I see no evidence of it even loading the default p11-kit modules.

Could it be that curl disables PKCS#11 support in gnutls?

Note You need to log in before you can comment on or make changes to this bug.