Description of problem: With a private PKI (i.e. the root certificate is not part of the publicly listed CAs), the imaps server certificate is not trusted, even though the root certificate has been manually added to the list of trusted certificates. The certificate chain is 3 levels deep (root certificate, intermediate CA certificate, server certificate) and the server is configured properly and does present the full chain. This has been tested and confirmed using "openssl s_client -connect mail.mindbit.ro:993 -verify 5 -CAfile RootCA.pem". The root certificate has been configured in evolution using the gui, at Preferences -> Certificates -> Authorities -> Import and does show up in the authorities list. Version-Release number of selected component (if applicable): 3.25.3-1.fc27.i686 The above version is for Fedora rawhide as of today, but the problem can be reproduced on a fairly up-to-date Fedora 25 as well (evolution-3.22.6-2.fc25.i686). How reproducible: always Steps to Reproduce: 1. Create private PKI and a 3rd level server certificate as described above. 2. Configure the imaps server and test with "openssl s_client" as described above. 3. Add the root certificate to the trusted authorities list in evolution. 4. Configure the imaps account and connect to server. Actual results: Evolution complains that the server certificate is not trusted and presents the standard certificate trust window with 4 buttons (cancel / reject / accept temporarily / accept permanently). Expected results: Evolution verifies and accepts server certificate without user intervention. Additional info: This looks very similar to Bug #1246492, except that the root CA is not public. This bug points to Bug #1286034 which in turn points to Bug #1250175. The latter looks like a dead-end. It has only one user comment, which mentions that nothing needs to be backported. This suggests that the problem had been fixed upstream and the fix should have been picked up automatically in a newer Fedora release.
Thanks for a bug report. The Camel part (it's libcamel, responsible for mail) uses NSS for certificates, while the connection streams are from GIO (glib), which usually means gnutls. I'm not sure how these two cooperate, even whether they share the same certificate database (they should, of course, but I do not know it for sure). > The root certificate has been configured in evolution using the gui, at > Preferences -> Certificates -> Authorities -> Import and does show up in > the authorities list. I understood from the comment #0 that for the above you also set the trust level in the GUI. Am I right? > 1. Create private PKI and a 3rd level server certificate as described above. > 2. Configure the imaps server and test with "openssl s_client" as described above. I'm sorry, I'm not that good in these things. Would you mind to elaborate on it, please? I'm able to do the rest of the steps, they are pretty simple, but these two are challenging for me. I'm sorry.
Created attachment 1300135 [details] Test certificates
> I understood from the comment #0 that for the above you also set the trust > level in the GUI. Am I right? Thanks for looking into this. Yes, that's correct. I checked all 3 boxes (trust the certificate to identify websites / email users / software developers). > I'm sorry, I'm not that good in these things. Would you mind to elaborate on > it, please? I'm able to do the rest of the steps, they are pretty simple, > but these two are challenging for me. I'm sorry. I attached test certificates to the ticket. You need to install dovecot to run the imaps server. The certificates can be installed as follows: cat localhost.localdomain.cert.pem ca-chain.cert.pem > /etc/pki/dovecot/certs/dovecot.pem cat localhost.localdomain.key.pem > /etc/pki/dovecot/private/dovecot.pem Nothing else needs to be configured in dovecot (it works with the default configuration). The configuration can be verified like this: openssl s_client -connect localhost:993 -verify 5 -CAfile ca.cert.pem If everything is configured correctly, you should see this at the bottom of the output: Start Time: 1500325726 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes The certificate that needs to be configured in evolution is in ca.cert.pem.
Thanks for all the bits. My openssl output is slightly different, it doesn't have any "Extended master secret" line, but I think it doesn't matter much. What matters is that Camel (from evolution-data-server) uses glib's GIO, which uses glib-networking, which uses gnutls for certificate things, but evolution itself operates on NSS database (sql:/etc/pki/nssdb, eventually ~/.pki/nssdb). I'm afraid that whatever changes evolution does in NSS the gnutls has no idea about them. It wasn't the case in the past, when Camel (in evolution-data-server) used NSS for SSL connections as well, but it's gone for a long time now. Nikos, could you confirm, please, than whatever changes I do in NSS certificate database (in trust for certificate authorities) is not recognized by gnutls, when it verifies that the certificate provided by the connection its trusted or not (including when the trust itself is set to the issuer's root certificate or intermediate certificate), please? I'm afraid that the only option would be to move away from NSS in Camel and Evolution and switch to gnutls instead. I did try to use CERT_VerifyCertificateNow(), but it keeps returning SECSuccess even when I remove trust for the issuer's certificate, or even if I do not have those issuer certificates (either ca-root or the ca-chain) imported. Verifying one of the imported CA certificates does work, and eventually returns that the certificate is not marked trusted by the user (by PORT_GetError()), but I expected it to work on the certificate returned by the server, not that I'd verify one-by-one in the chain myself. There is very little documentation on the NSS, which doesn't help much too. I have a little test application for NSS which I can share, it can be used with the certificates from comment #2 (pass it the localhost.localdomain certificate and import the CA root certificate by Evolution).
(In reply to Radu Rendec from comment #0) > The certificate chain is 3 levels deep (root certificate, intermediate CA > certificate, server certificate) and the server is configured properly and > does present the full chain. This has been tested and confirmed using > "openssl s_client -connect mail.mindbit.ro:993 -verify 5 -CAfile RootCA.pem". > > The root certificate has been configured in evolution using the gui, at > Preferences -> Certificates -> Authorities -> Import and does show up in the > authorities list. Firstly, don't do that. Install the RootCA.pem "correctly" in in the system-wide trust database, by saving it into /etc/pki/ca-trust/source/anchors/ and running 'update-ca-trust'. Then check that your above OpenSSL command line works correctly *without* the '-CAfile RootCA.pem' part. Then I think it'll work from all parts of Evolution too — those which use NSS for their crypto (and hence were using the one you imported into the NSS database through the GUI), and those which don't use NSS (like IMAP, as you discovered).
(In reply to David Woodhouse from comment #5) > Install the RootCA.pem "correctly" in in the system-wide trust database, by > saving it into /etc/pki/ca-trust/source/anchors/ and running > 'update-ca-trust'. Yes, that makes sense now that we have established that different parts of Evolution use different crypto engines. > Then check that your above OpenSSL command line works correctly *without* > the '-CAfile RootCA.pem' part. I haven't checked that, but I expect it would work, since /etc/pki/ca-trust seems to have been designed specifically to accomplish that (provide a common trust store for all crypto engines: NSS, OpenSSL, gnutls and even Java. > Then I think it'll work from all parts of Evolution too — those which use > NSS for their crypto (and hence were using the one you imported into the NSS > database through the GUI), and those which don't use NSS (like IMAP, as you > discovered). Yes, it does. So this solution is good enough for my particular use case. And thank you for providing the solution! On the other hand, I still believe the Evolution GUI is broken: 1. If an application provides a GUI for managing certificates, I expect it to apply to all parts of the application that use cryptography. 2. Maybe I cannot install the CA certificate in the system-wide trust store (think, for instance, shared systems where one doesn't have root) or I simply don't want to (because I just don't want *every* application on the system to trust that CA). For the record, I was able to verify that the Evolution GUI installs the CA certificate in the NSS trust store, by using "certutil" to retrieve the certificate from the store. And I assume it's the user (not the system-wide) trust store, because I explicitly used "-d sql:.pki/nssdb/" on the command line.
(In reply to Radu Rendec from comment #6) > On the other hand, I still believe the Evolution GUI is broken: > 1. If an application provides a GUI for managing certificates, I expect it to > apply to all parts of the application that use cryptography. Right, I agree it's confusing, but once you understand the complexity, then you know it's not that simple to be achieved. What one might want is to have also user-specific trust store and that being managed by all the libraries at once, not one user trust store for nss, one for gnutls and so on. > 2. Maybe I cannot install the CA certificate in the system-wide trust store > (think, for instance, shared systems where one doesn't have root) or I > simply don't want to (because I just don't want *every* application on > the system to trust that CA). I agree here as well. It adds to the complexity and it's still the same issue. > And I assume it's the user (not the system-wide) trust store, because I > explicitly used "-d sql:.pki/nssdb/" on the command line. I made similar observation here as well. The update-ca-trust doesn't seem to work with any folder in the user's home. > Yes, it does. So this solution is good enough for my particular use case. I'm closing this then. Thanks David for the pointer.
They're all just PKCS#11 tokens. It isn't that hard to make use of the user's NSS softokn in ~/.pki/nssdb/ from GnuTLS or even OpenSSL. Maybe Evolution should be explicitly doing so when it uses GnuTLS, given that it does use the NSS database for other things. It probably would have made more sense for Evolution to be using the gnome-keyring token instead, but to migrate to that now is going to be more pain than it's worth. FWIW I think there are ways to put the additional CA into the system store with a restriction so it isn't blindly trusted for *everything*, but there really ought to be a way for users to add their own, and I don't think we do have that. Nikos?
>Nikos, could you confirm, please, than whatever changes I do in NSS certificate >database (in trust for certificate authorities) is not recognized by gnutls, when >it verifies that the certificate provided by the connection its trusted or not >(including when the trust itself is set to the issuer's root certificate or >intermediate certificate), please? I can confirm that, as well as David's reply of using the system-wide trust store is the way to handle root CA certificates in Fedora in a cross application way.
(In reply to Nikos Mavrogiannopoulos from comment #9) > I can confirm that, as well as David's reply of using the system-wide trust > store is the way to handle root CA certificates in Fedora in a cross > application way. Thanks. Does it also mean that there is no way for a (GUI) application to change the trust on a user-based level, without touching the root-privileged global trust store? Like in evolution, where NSS is used for the GUI part, but the connection streams use gnutls (or whatever glib-networking picks). Is there any plan to support this, like to merge things from the global folder and also have a similar shadow-folder in user's home, where only user-specific trust preferences would be saved?
(In reply to Milan Crha from comment #10) > (In reply to Nikos Mavrogiannopoulos from comment #9) > > I can confirm that, as well as David's reply of using the system-wide trust > > store is the way to handle root CA certificates in Fedora in a cross > > application way. > > Thanks. Does it also mean that there is no way for a (GUI) application to > change the trust on a user-based level, without touching the root-privileged > global trust store? Like in evolution, where NSS is used for the GUI part, > but the connection streams use gnutls (or whatever glib-networking picks). > > Is there any plan to support this, like to merge things from the global > folder and also have a similar shadow-folder in user's home, where only > user-specific trust preferences would be saved? You'll need co-ordination of the underlying components, e.g., provide the certificates in the user trust store for both NSS and glib-networking.
(In reply to Nikos Mavrogiannopoulos from comment #11) > You'll need co-ordination of the underlying components, e.g., provide the > certificates in the user trust store for both NSS and glib-networking. Yes, that's understood. My question was whether there's already any such plan, like with the system store, or whether it's not planned at all right now.
(In reply to Milan Crha from comment #12) > (In reply to Nikos Mavrogiannopoulos from comment #11) > > You'll need co-ordination of the underlying components, e.g., provide the > > certificates in the user trust store for both NSS and glib-networking. > > Yes, that's understood. My question was whether there's already any such > plan, like with the system store, or whether it's not planned at all right > now. There is no plan to bring the NSS store to gnutls or openssl.
(In reply to Nikos Mavrogiannopoulos from comment #13) > There is no plan to bring the NSS store to gnutls or openssl. We can do it for ourselves though — as I said, it's just a PKCS#11 token that we can tell GnuTLS to load as an "extra" one, in addition to the normal set. The fact that there's no system-wide plan to do this automatically is actually good for us in Evolution, since we can do it for ourselves and not worry about conflicting with such a plan. Start by doing something like this (change the homedir): cat > ~/.config/pkcs11/evo-nss.module <<EOF module: /usr/lib64/libsoftokn3.so x-init-reserved: configdir='sql:/home/dwmw2/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' trust-policy: yes critical: yes log-calls:no enable-in: evolution EOF We can look at getting Evolution to do that for itself, later. But I think it should make your user-trusted CAs work, and should also make client certs from the NSS database available (although you'll need more work to be able to actually *use* them). If we do this, we could kill the final uses of NSS itself from Evolution, which would be nice.
(In reply to David Woodhouse from comment #14) > (In reply to Nikos Mavrogiannopoulos from comment #13) > > There is no plan to bring the NSS store to gnutls or openssl. > > We can do it for ourselves though — as I said, it's just a PKCS#11 token > that we can tell GnuTLS to load as an "extra" one, in addition to the normal > set. > The fact that there's no system-wide plan to do this automatically is > actually good for us in Evolution, since we can do it for ourselves and not > worry about conflicting with such a plan. I'm not sure if that's possible. The NSS module is similar but not compatible with the p11-kit trust module (the language gnutls talks).
Hm? I thought it was *designed* to be compatible, and to allow us to ditch the upstream NSS libnssckbi.so module with its trust roots, and just override it with a symlink to p11-kit-trust.so? Admittedly that's compatibility in the opposite direction, but I actually thought it was both.
Hm... Test server running with my own CA, CA installed into sql:~/pki/nssdb. So curl (Fedora 25, built against curl) now likes it. But indeed, gnutls-cli doesn't work... $ cat ~/.config/pkcs11/modules/nss.module # The file is installed/loaded from the default module p11-kit directory module: /usr/lib64/libsoftokn3.so x-init-reserved: configdir='sql:/home/dwmw2/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' trust-policy: yes critical: yes log-calls:yes $ gnutls-cli -p 8443 i7.infradead.org C_Initialize IN: pInitArgs = NULL C_Initialize = CKR_OK p11-kit: softhsm: module failed to initialize, skipping: Internal error C_GetInfo OUT: pInfo = { cryptokiVersion: 2.20 manufacturerID: "Mozilla Foundation" flags: 0 libraryDescription: "NSS Internal Crypto Services" libraryVersion: 3.28 } C_GetInfo = CKR_OK C_GetSlotList IN: tokenPresent = CK_TRUE IN: pulCount = 0x7FFE3C626378 = 48 OUT: pSlotList = (2) [ SL1, SL2 ] C_GetSlotList = CKR_OK C_GetTokenInfo IN: slotID = SL1 OUT: pInfo = { label: "NSS Generic Crypto Services" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 0 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 4.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL1 OUT: pInfo = { slotDescription: "NSS Internal Cryptographic Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetTokenInfo IN: slotID = SL2 OUT: pInfo = { label: "NSS Certificate DB" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 255 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 0.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL2 OUT: pInfo = { slotDescription: "NSS User Private Key and Certificate Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK Processed 216 CA certificate(s). Resolving 'i7.infradead.org:8443'... Connecting to '2001:8b0:10b:1:21e:67ff:fecb:7a92:8443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=i7.infradead.org,O=Default Company Ltd,L=Default City,C=XX', issuer `EMAIL=dwmw2,CN=Infradead test CA,OU=shinybook,O=Infradead test CA,L=Great Bardfield,ST=Essex,C=GB', serial 0x008a8a63da4a27d88f, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-07-21 13:09:14 UTC', expires `2027-07-19 13:09:14 UTC', key-ID `sha256:6a0ee877a5d335b8f31ae62bf25d2f58bec72a9e8d7e8e27e5e3fca65458443e' Public Key ID: sha1:22790e1812feffde957be6096d51b9e0fe6fbaca sha256:6a0ee877a5d335b8f31ae62bf25d2f58bec72a9e8d7e8e27e5e3fca65458443e Public key's random art: +--[ RSA 2048]----+ |. | |.. .| |... . o | | ..o . . o .| | ..+ o S o . | | .= . + . | | .. + + | | . . ..+oo .| | .o . .E+o=o| +-----------------+ C_GetSlotList IN: tokenPresent = CK_TRUE IN: pulCount = 0x7FFE3C624C18 = 48 OUT: pSlotList = (2) [ SL1, SL2 ] C_GetSlotList = CKR_OK C_GetTokenInfo IN: slotID = SL1 OUT: pInfo = { label: "NSS Generic Crypto Services" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 0 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 4.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL1 OUT: pInfo = { slotDescription: "NSS Internal Cryptographic Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetTokenInfo IN: slotID = SL2 OUT: pInfo = { label: "NSS Certificate DB" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 255 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 0.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL2 OUT: pInfo = { slotDescription: "NSS User Private Key and Certificate Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetSlotList IN: tokenPresent = CK_TRUE IN: pulCount = 0x7FFE3C624C18 = 48 OUT: pSlotList = (2) [ SL1, SL2 ] C_GetSlotList = CKR_OK C_GetTokenInfo IN: slotID = SL1 OUT: pInfo = { label: "NSS Generic Crypto Services" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 0 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 4.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL1 OUT: pInfo = { slotDescription: "NSS Internal Cryptographic Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetTokenInfo IN: slotID = SL2 OUT: pInfo = { label: "NSS Certificate DB" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 255 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 0.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL2 OUT: pInfo = { slotDescription: "NSS User Private Key and Certificate Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetSlotList IN: tokenPresent = CK_TRUE IN: pulCount = 0x7FFE3C624C18 = 48 OUT: pSlotList = (2) [ SL1, SL2 ] C_GetSlotList = CKR_OK C_GetTokenInfo IN: slotID = SL1 OUT: pInfo = { label: "NSS Generic Crypto Services" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 0 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 4.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL1 OUT: pInfo = { slotDescription: "NSS Internal Cryptographic Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetTokenInfo IN: slotID = SL2 OUT: pInfo = { label: "NSS Certificate DB" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 255 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 0.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL2 OUT: pInfo = { slotDescription: "NSS User Private Key and Certificate Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetSlotList IN: tokenPresent = CK_TRUE IN: pulCount = 0x7FFE3C624C18 = 48 OUT: pSlotList = (2) [ SL1, SL2 ] C_GetSlotList = CKR_OK C_GetTokenInfo IN: slotID = SL1 OUT: pInfo = { label: "NSS Generic Crypto Services" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 0 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 4.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL1 OUT: pInfo = { slotDescription: "NSS Internal Cryptographic Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetTokenInfo IN: slotID = SL2 OUT: pInfo = { label: "NSS Certificate DB" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 255 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 0.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL2 OUT: pInfo = { slotDescription: "NSS User Private Key and Certificate Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetSlotList IN: tokenPresent = CK_TRUE IN: pulCount = 0x7FFE3C624BF8 = 48 OUT: pSlotList = (2) [ SL1, SL2 ] C_GetSlotList = CKR_OK C_GetTokenInfo IN: slotID = SL1 OUT: pInfo = { label: "NSS Generic Crypto Services" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1539 = CKF_RNG | CKF_WRITE_PROTECTED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 0 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 4.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL1 OUT: pInfo = { slotDescription: "NSS Internal Cryptographic Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK C_GetTokenInfo IN: slotID = SL2 OUT: pInfo = { label: "NSS Certificate DB" manufacturerID: "Mozilla Foundation" model: "NSS 3" serialNumber: "0000000000000000" flags: 1545 = CKF_RNG | CKF_USER_PIN_INITIALIZED | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_UNAVAILABLE_INFORMATION ulSessionCount: 0 ulMaxRwSessionCount: CK_UNAVAILABLE_INFORMATION ulRwSessionCount: 0 ulMaxPinLen: 255 ulMinPinLen: 0 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 0.0 firmwareVersion: 0.0 utcTime: } C_GetTokenInfo = CKR_OK C_GetSlotInfo IN: slotID = SL2 OUT: pInfo = { slotDescription: "NSS User Private Key and Certificate Services" manufacturerID: "Mozilla Foundation" flags: 1 = CKF_TOKEN_PRESENT hardwareVersion: 3.28 firmwareVersion: 1.0 } C_GetSlotInfo = CKR_OK - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate.
If I have a version of curl built against GnuTLS it's worse; it doesn't even try. I see no evidence of it even loading the default p11-kit modules.
(In reply to David Woodhouse from comment #16) > Hm? I thought it was *designed* to be compatible, and to allow us to ditch > the upstream NSS libnssckbi.so module with its trust roots, and just > override it with a symlink to p11-kit-trust.so? The p11-kit-trust speaks both its own protocol as well as the nss PKCS#11 protocol (which was supposed to be legacy).
(In reply to David Woodhouse from comment #18) > If I have a version of curl built against GnuTLS it's worse; it doesn't even > try. I see no evidence of it even loading the default p11-kit modules. Could it be that curl disables PKCS#11 support in gnutls?