Hide Forgot
Description of problem: AusweisApp2 doesn't work - even looking at "Own data" doesn't work. Steps to Reproduce: 1. Start "view own data", Actual results: - communication to https://www.autentapp.de seems to fail. Expected results: It should show "own data". AusweisApp2-1.22.3-1.fc36.x86_64 running on Gnome desktop Additional info (taken from Log on screen): network 2022.07.10 08:20:14.730 198882 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:110) : Used session protocol: "TlsV1_2" network 2022.07.10 08:20:14.730 198882 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:110) : Used ephemeral server key: network 2022.07.10 08:20:14.730 198882 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:110) : Used peer certificate: QSslCertificate("3", "77:e6:2b:ae:23:d1:b6:59:81:be:35:94:cb:fe:e2:00", "IFsNCKNJnVGooZYRZYqFUQ==", "D-TRUST CA 2-2 EV 2016", "Governikus GmbH & Co. KG", QMap((1, "prodpaos.governikus-eid.de")(1, "prod2.governikus-eid.de")(1, "prod2paos.governikus-eid.de")(1, "test.governikus-eid.de")(1, "testpaos.governikus-eid.de")(1, "akdb.test.governikus-eid.de")(1, "akdbpaos.test.governikus-eid.de")(1, "signon.governikus-eid.de")(1, "signonpaos.governikus-eid.de")(1, "prod3.governikus-eid.de")(1, "prod3paos.governikus-eid.de")(1, "prod.governikus-eid.de")), QDateTime(2020-07-17 10:00:08.000 UTC Qt::UTC), QDateTime(2022-07-21 10:00:08.000 UTC Qt::UTC)) network 2022.07.10 08:20:14.731 198882 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:110) : Used ssl session: "f85687751b6aa21d6becbde9826f209ffa419cb3524d25bb6abd0e19cf3d286f" network 2022.07.10 08:20:14.731 198882 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:110) : Handshake of tls connection done! network 2022.07.10 08:20:15.197 198882 ...:onReplyFinished(workflows/base/states/StateGenericSendReceive.cpp:276) : Status Code: 200 "OK" network 2022.07.10 08:20:15.197 198882 ...:onReplyFinished(workflows/base/states/StateGenericSendReceive.cpp:276) : Header | Connection: keep-alive network 2022.07.10 08:20:15.198 198882 ...:onReplyFinished(workflows/base/states/StateGenericSendReceive.cpp:276) : Header | Content-Type: application/vnd.paos+xml network 2022.07.10 08:20:15.198 198882 ...:onReplyFinished(workflows/base/states/StateGenericSendReceive.cpp:276) : Header | Content-Length: 8511 network 2022.07.10 08:20:15.199 198882 ...:onReplyFinished(workflows/base/states/StateGenericSendReceive.cpp:276) : Header | Content-Security-Policy: default-src 'self' network 2022.07.10 08:20:15.199 198882 ...:onReplyFinished(workflows/base/states/StateGenericSendReceive.cpp:276) : Header | Date: Sun, 10 Jul 2022 06:20:49 GMT card 2022.07.10 08:20:15.320 198882 C SignatureChecker::check(card/base/asn1/SignatureChecker.cpp:47) : Certificate verification failed: "DECVCAeID00102" default 2022.07.10 08:20:15.320 198882 C ...PreVerification::run(workflows/base/states/StatePreVerification.cpp:74) : Pre-verification failed: signature check failed
I had a chat with the Support AusweisApp2 team at Governikus. Looks like the AusweisApp2-1.22.3 is outdated and we need to (re)build to AusweisApp2-1.22.6 at least. Can someone take care that the Fedora community build of AusweisApp2 gets refreshed? Thanks, Michael
Newer releases are available upstream but AusweisApp2-1.22.3 still works for me on Fedora 35 and even on Fedora 36 if I replace /usr/libexec/AusweisApp2 with the binary from the F35 package. An obvious difference between both binaries is the usage of OpenSSL 3 by the F36 version and OpenSSL 1.1 by the F35 version according to page "Hilfe / Versionsinformationen". So I guess the source code of AusweisApp2 needs some modification to work properly with OpenSSL 3.
Hi there, Yes, you should update the AA2. But that isn't the problem and won't fix this. The AA2 is already be compatible with OpenSSL3 - it just uses "deprecated" APIs until 1.24.0. "Pre-verification failed" means that the CV-Certificates are not valid. But I don't think that it is invalid here. It seems that openssl cannot check the algorithms anymore. Looks like the openssl package [1] disabled too much of elliptic curves. [1] https://src.fedoraproject.org/rpms/openssl/tree/rawhide
1.24.0 was released upstream a few days ago and supports OpenSSL 3.0.5 according to release notes, so it's worth a try.
FEDORA-2022-f83b2ce82b has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f83b2ce82b
FEDORA-2022-4ce7878f2d has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-4ce7878f2d
FEDORA-2022-515a71a545 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-515a71a545
FEDORA-2022-515a71a545 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-515a71a545` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-515a71a545 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-f83b2ce82b has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-f83b2ce82b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-f83b2ce82b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-4ce7878f2d has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-4ce7878f2d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-4ce7878f2d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
*** Bug 2124998 has been marked as a duplicate of this bug. ***
The following warning is shown in the log which was not there in 1.22.2 logs from January this year I still have lying around: default 2022.09.11 11:41:01.107 63805 W SslCipherList::operator+=(secure_storage/TlsConfiguration.cpp:32) : Cipher is not supported by OpenSSL and will be ignored: "ECDHE-PSK-AES128-CBC-SHA256" default 2022.09.11 11:41:01.107 63805 W SslCipherList::operator+=(secure_storage/TlsConfiguration.cpp:32) : Cipher is not supported by OpenSSL and will be ignored: "ECDHEdefault Can we confirm whether these are the ciphers used by DECVCAeID00102 certificate?
Apologies, I did a copy-paste error: default 2022.09.11 11:41:01.107 63805 W SslCipherList::operator+=(secure_storage/TlsConfiguration.cpp:32) : Cipher is not supported by OpenSSL and will be ignored: "ECDHE-PSK-AES128-CBC-SHA256" default 2022.09.11 11:41:01.107 63805 W SslCipherList::operator+=(secure_storage/TlsConfiguration.cpp:32) : Cipher is not supported by OpenSSL and will be ignored: "ECDHE default 2022.09.11 11:41:01.107 63805 W SslCipherList::operator+=(secure_storage/TlsConfiguration.cpp:32) : Cipher is not supported by OpenSSL and will be ignored: "ECDHE-PSK-AES128-CBC-SHA256"-PSK-AES256-CBC-SHA384" In any case, the 1.24.1 log shows the following: network 2022.09.11 11:41:11.268 63805 I NetworkManager::processUpdaterRequest(network/NetworkManager.cpp:173) : Used session cipher QSslCipher(name=ECDHE-ECDSA-AES128-GCM-SHA256, bits=128, proto=TLSv1.2) network 2022.09.11 11:41:11.268 63805 I NetworkManager::processUpdaterRequest(network/NetworkManager.cpp:173) : Used session protocol: "TlsV1_2" network 2022.09.11 11:41:11.268 63805 I NetworkManager::processUpdaterRequest(network/NetworkManager.cpp:173) : Used ephemeral server key: QSslKey(PublicKey, EC, 256) network 2022.09.11 11:41:11.268 63805 I NetworkManager::processUpdaterRequest(network/NetworkManager.cpp:173) : Used peer certificate: QSslCertificate("3", "7a:70:ab:a4:a6:6d:aa:ff", "hUFmV5s48mTAtg6MJzbMEQ==", "Governikus CA 9:PN", "updates.autentapp.de", QMultiMap((1, "updates.autentapp.de")), QDateTime(2021-12-06 10:18:22.000 UTC Qt::UTC), QDateTime(2027-12-31 23:59:00.000 UTC Qt::UTC)) network 2022.09.11 11:41:11.269 63805 I NetworkManager::processUpdaterRequest(network/NetworkManager.cpp:173) : Used ssl session: "23e868913e5464e0819ddddc71d182bf0ef5ce4899a5d8e45b337e0d1ad19bd9" network 2022.09.11 11:41:11.269 63805 I NetworkManager::processUpdaterRequest(network/NetworkManager.cpp:173) : Handshake of tls connection done! card 2022.09.11 11:42:08.860 63805 W ...ertificateChainBuilder(card/base/asn1/CVCertificateChainBuilder.cpp:41) : No valid chains could be built card 2022.09.11 11:42:08.860 63805 W ...ertificateChainBuilder(card/base/asn1/CVCertificateChainBuilder.cpp:41) : No valid chains could be built support 2022.09.11 11:42:08.860 63805 I AppController::startNewWorkflow(core/controller/AppController.cpp:453) : Started new workflow SELF qml 2022.09.11 11:42:08.860 63805 W ApplicationModel::keepScreenOn(ui/qml/ApplicationModel.cpp:389) : NOT IMPLEMENTED: true qml 2022.09.11 11:42:08.949 63805 W (/qml/Governikus/View/BaseController.qml:48) : No focus item found using TitleBar network 2022.09.11 11:42:09.130 63805 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used session cipher QSslCipher(name=ECDHE-RSA-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.09.11 11:42:09.130 63805 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used session protocol: "TlsV1_2" network 2022.09.11 11:42:09.130 63805 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ephemeral server key: QSslKey(PublicKey, EC, 256) network 2022.09.11 11:42:09.130 63805 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used peer certificate: QSslCertificate("3", "02:e6:2a:98:5f:8a:17:65:fb:2e:a2:e9:f2:e8:4d:41", "sfLGlGvut9VpAgZZ76orcA==", "TeleSec ServerPass Class 2 CA", "www.autentapp.de", QMultiMap((1, "www.autentapp.de")), QDateTime(2021-11-08 12:30:21.000 UTC Qt::UTC), QDateTime(2022-11-12 23:59:59.000 UTC Qt::UTC)) network 2022.09.11 11:42:09.130 63805 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ssl session: "c6ddf70c53a07595dea3cd66bcf6ecf8e93d3f3309a5062fef61ea31e1f4f6d2" network 2022.09.11 11:42:09.130 63805 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Handshake of tls connection done! network 2022.09.11 11:42:10.025 63805 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used session cipher QSslCipher(name=RSA-PSK-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.09.11 11:42:10.025 63805 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used session protocol: "TlsV1_2" network 2022.09.11 11:42:10.025 63805 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used ephemeral server key: network 2022.09.11 11:42:10.025 63805 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used peer certificate: QSslCertificate("3", "74:ce:fd:83:93:52:da:5a:2a:0e:39:35:9c:00:ae:e7", "La6+dWJjNmnRa33ZTRkSaw==", "D-TRUST CA 2-2 EV 2016", "prod.governikus-eid.de", QMultiMap((1, "prodpaos.governikus-eid.de")(1, "prod2.governikus-eid.de")(1, "prod2paos.governikus-eid.de")(1, "prod3.governikus-eid.de")(1, "prod3paos.governikus-eid.de")(1, "prod4.governikus-eid.de")(1, "prod4paos.governikus-eid.de")(1, "prod.governikus-eid.de")), QDateTime(2022-06-14 08:13:14.000 UTC Qt::UTC), QDateTime(2023-06-17 08:13:14.000 UTC Qt::UTC)) network 2022.09.11 11:42:10.025 63805 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used ssl session: "ad75f09425911d10afb6adac55bba04adce63da6094ecba13dd9b27dbdd0db1a" network 2022.09.11 11:42:10.025 63805 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Handshake of tls connection done! card 2022.09.11 11:42:10.403 63805 C ecdsapublickey_st::createKey(card/base/asn1/EcdsaPublicKey.cpp:306) : Cannot fetch data for pkey card 2022.09.11 11:42:10.403 63805 C SignatureChecker::checkSignature(card/base/asn1/SignatureChecker.cpp:70) : Cannot fetch signing key card 2022.09.11 11:42:10.403 63805 C SignatureChecker::check(card/base/asn1/SignatureChecker.cpp:47) : Certificate verification failed: "DECVCAeID00102" default 2022.09.11 11:42:10.403 63805 C ...PreVerification::run(workflows/base/states/StatePreVerification.cpp:76) : Pre-verification failed: signature check failed The corresponding section of the older log looks as follows: network 2022.01.16 19:07:30.302 452129 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:116) : Used session cipher QSslCipher(name=ECDHE-RSA-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.01.16 19:07:30.302 452129 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:116) : Used session protocol: "TlsV1_2" network 2022.01.16 19:07:30.302 452129 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:116) : Used ephemeral server key: QSslKey(PublicKey, EC, 384) network 2022.01.16 19:07:30.303 452129 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:116) : Used peer certificate: QSslCertificate("3", "6e:19:43:f3:ba:d1:53:3e:53:fd:96:3c:13:80:7c:41", "Xa9+8P1nMDDcF1xowCy0bw==", "D-TRUST SSL Class 3 CA 1 EV 2009", "elster.de", QMap((1, "www.elster.de")(1, "www.elsteronline.de")(1, "elsteronline.de")(1, "einfach.elster.de")(1, "www.einfach.elster.de")(1, "eid.elster.de")(1, "elster.de")), QDateTime(2021-06-26 19:19:31.000 UTC Qt::UTC), QDateTime(2022-06-29 19:19:31.000 UTC Qt::UTC)) network 2022.01.16 19:07:30.303 452129 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:116) : Used ssl session: "68e142289e7aff0c54ad78b6b5fa68499b527364c64ebd0a3542fa3005f85cbe" network 2022.01.16 19:07:30.303 452129 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:116) : Handshake of tls connection done! network 2022.01.16 19:07:30.463 452129 ...tTcToken::onNetworkReply(workflows/base/states/StateGetTcToken.cpp:150) : Status Code: 303 "See Other"
update ============================================================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================================================= Upgrading: AusweisApp2 x86_64 1.24.1-1.fc36 updates-testing 1.1 M AusweisApp2-data noarch 1.24.1-1.fc36 updates-testing 5.4 M Installing dependencies: qt6-qtscxml x86_64 6.3.1-2.fc36 updates 549 k qt6-qtwebsockets x86_64 6.3.1-2.fc36 updates 102 k Transaction Summary ============================================================================================================================================================================================= results in the same error message as before the update on Fedora 36 network 2022.09.11 15:48:06.620 41770 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ssl session: "7756508230cdf04578afceac24a2f3d2a560d8c61d38835a14c3d8bc0210e8b4" network 2022.09.11 15:48:06.620 41770 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Handshake of tls connection done! network 2022.09.11 15:48:07.449 41770 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used session cipher QSslCipher(name=RSA-PSK-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.09.11 15:48:07.449 41770 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used session protocol: "TlsV1_2" network 2022.09.11 15:48:07.449 41770 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used ephemeral server key: network 2022.09.11 15:48:07.449 41770 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used peer certificate: QSslCertificate("3", "74:ce:fd:83:93:52:da:5a:2a:0e:39:35:9c:00:ae:e7", "La6+dWJjNmnRa33ZTRkSaw==", "D-TRUST CA 2-2 EV 2016", "prod.governikus-eid.de", QMultiMap((1, "prodpaos.governikus-eid.de")(1, "prod2.governikus-eid.de")(1, "prod2paos.governikus-eid.de")(1, "prod3.governikus-eid.de")(1, "prod3paos.governikus-eid.de")(1, "prod4.governikus-eid.de")(1, "prod4paos.governikus-eid.de")(1, "prod.governikus-eid.de")), QDateTime(2022-06-14 08:13:14.000 UTC Qt::UTC), QDateTime(2023-06-17 08:13:14.000 UTC Qt::UTC)) network 2022.09.11 15:48:07.449 41770 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used ssl session: "5a8459b074ba25a38ac2fdfe1a70f9097d5c23584e676bd6daa3fb7ac1c15d63" network 2022.09.11 15:48:07.449 41770 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Handshake of tls connection done! card 2022.09.11 15:48:07.845 41770 C ecdsapublickey_st::createKey(card/base/asn1/EcdsaPublicKey.cpp:306) : Cannot fetch data for pkey card 2022.09.11 15:48:07.845 41770 C SignatureChecker::checkSignature(card/base/asn1/SignatureChecker.cpp:70) : Cannot fetch signing key card 2022.09.11 15:48:07.845 41770 C SignatureChecker::check(card/base/asn1/SignatureChecker.cpp:47) : Certificate verification failed: "DECVCAeID00102" default 2022.09.11 15:48:07.845 41770 C ...PreVerification::run(workflows/base/states/StatePreVerification.cpp:76) : Pre-verification failed: signature check failed
There are log differences between Linux and Windows, I wonder if these are relevant. Windows: fileprovider 2022.09.11 12:27:10.220 9020 C UpdatableFile::writeDataToFile(file_provider/UpdatableFile.cpp:214) : File already exists, aborting writing file: "C:/Users/beleg/AppData/Local/Governikus GmbH & Co. KG/AusweisApp2/cache//supported-providers.json_20220908074822" fileprovider 2022.09.11 12:27:10.220 9020 C UpdatableFile::onDownloadSuccess(file_provider/UpdatableFile.cpp:175) : Could not write downloaded file "C:/Users/beleg/AppData/Local/Governikus GmbH & Co. KG/AusweisApp2/cache//supported-providers.json_20220908074822" fileprovider 2022.09.11 12:27:10.220 9020 Downloader::startDownloadIfPending(file_provider/Downloader.cpp:42) : No pending requests to be started. qt.scenegr... 2022.09.11 12:27:10.248 9020 (unknown:0) : Using sg animation driver qt.scenegr... 2022.09.11 12:27:10.248 9020 (unknown:0) : animation driver switched to vsync mode card 2022.09.11 12:27:12.355 9020 W ...ertificateChainBuilder(card/base/asn1/CVCertificateChainBuilder.cpp:41) : No valid chains could be built card 2022.09.11 12:27:12.355 9020 W ...ertificateChainBuilder(card/base/asn1/CVCertificateChainBuilder.cpp:41) : No valid chains could be built default 2022.09.11 12:27:12.355 9020 AppController::onWorkflowRequested(core/controller/AppController.cpp:225) : New workflow requested: SELF support 2022.09.11 12:27:12.355 9020 I AppController::startNewWorkflow(core/controller/AppController.cpp:453) : Started new workflow SELF default 2022.09.11 12:27:12.356 9020 AppController::startNewWorkflow(core/controller/AppController.cpp:457) : Start governikus::SelfAuthController default 2022.09.11 12:27:12.356 9020 WorkflowContext::claim(workflows/base/context/WorkflowContext.cpp:76) : Claim workflow by "governikus::UIPlugInQml" qml 2022.09.11 12:27:12.356 9020 W ApplicationModel::keepScreenOn(ui/qml/ApplicationModel.cpp:389) : NOT IMPLEMENTED: true default 2022.09.11 12:27:12.356 9020 NumberModel>(global/Env.h:129) : Create singleton: governikus::NumberModel default 2022.09.11 12:27:12.375 9020 AuthModel>(global/Env.h:129) : Create singleton: governikus::AuthModel default 2022.09.11 12:27:12.381 9020 ConnectivityManager>(global/Env.h:129) : Create singleton: governikus::ConnectivityManager default 2022.09.11 12:27:12.387 9020 PinResetInformationModel>(global/Env.h:129) : Create singleton: governikus::PinResetInformationModel default 2022.09.11 12:27:12.391 9020 CertificateDescriptionModel>(global/Env.h:129) : Create singleton: governikus::CertificateDescriptionModel default 2022.09.11 12:27:12.391 9020 ChatModel>(global/Env.h:129) : Create singleton: governikus::ChatModel qml 2022.09.11 12:27:12.462 9020 W (/qml/Governikus/View/BaseController.qml:48) : No focus item found using TitleBar network 2022.09.11 12:27:12.465 9020 ConnectivityManager::setActive(ui/qml/ConnectivityManager.cpp:39) : Found active network interface "ethernet_32770" statemachine 2022.09.11 12:27:12.466 9020 AbstractState::onEntry(workflows/base/states/AbstractState.cpp:95) : Next state is "StateLoadTcTokenUrl" statemachine 2022.09.11 12:27:12.506 9020 ...ate::onStateApprovedChanged(workflows/base/states/AbstractState.cpp:73) : Running state "StateLoadTcTokenUrl" default 2022.09.11 12:27:12.506 9020 ...adTcTokenUrl::run(workflows/selfauth/states/StateLoadTcTokenUrl.cpp:24) : Loaded tcTokenUrl for self-authentication from securestorage: QUrl("https://www.autentapp.de/AusweisAuskunft/WebServiceRequesterServlet?mode=json") statemachine 2022.09.11 12:27:12.506 9020 AbstractState::onExit(workflows/base/states/AbstractState.cpp:115) : Leaving state "StateLoadTcTokenUrl" with status: [ OK + No_Error | "Es ist kein Fehler aufgetreten." ] statemachine 2022.09.11 12:27:12.506 9020 AbstractState::onEntry(workflows/base/states/AbstractState.cpp:95) : Next state is "StateGetTcToken" statemachine 2022.09.11 12:27:12.508 9020 ...ate::onStateApprovedChanged(workflows/base/states/AbstractState.cpp:73) : Running state "StateGetTcToken" default 2022.09.11 12:27:12.508 9020 StateGetTcToken::run(workflows/base/states/StateGetTcToken.cpp:35) : Got TC Token URL: QUrl("https://www.autentapp.de/AusweisAuskunft/WebServiceRequesterServlet?mode=json") network 2022.09.11 12:27:12.509 9020 ...espace'::SystemProxyFactory::queryProxy(network/NetworkManager.cpp:436) : ProxyQuery(type: QNetworkProxyQuery::UrlRequest, protocol: "https", peerPort: -1, peerHostName: "www.autentapp.de", localPort: -1, url: QUrl("https://www.autentapp.de/AusweisAuskunft/WebServiceRequesterServlet?mode=json")) network 2022.09.11 12:27:12.510 9020 ...espace'::SystemProxyFactory::queryProxy(network/NetworkManager.cpp:438) : Found proxies QList(NoProxy """:0" ["Tunnel Listen UDP SctpTunnel SctpListen"]) network 2022.09.11 12:27:12.718 9020 TlsChecker::getFatalErrors(network/TlsChecker.cpp:213) : (ignored) "Die Identität des OCSP-Responders konnte nicht verifiziert werden" network 2022.09.11 12:27:12.718 9020 TlsChecker::getFatalErrors(network/TlsChecker.cpp:213) : (ignored) "Das oberste Zertifikat der Kette ist selbstsigniert und daher nicht vertrauenswürdig" network 2022.09.11 12:27:12.718 9020 TlsChecker::containsFatalError(network/TlsChecker.cpp:251) : Ignore SSL errors network 2022.09.11 12:27:12.718 9020 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used session cipher QSslCipher(name=ECDHE-RSA-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.09.11 12:27:12.718 9020 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used session protocol: "TlsV1_2" network 2022.09.11 12:27:12.718 9020 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ephemeral server key: QSslKey(PublicKey, EC, 256) network 2022.09.11 12:27:12.718 9020 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used peer certificate: QSslCertificate("3", "02:e6:2a:98:5f:8a:17:65:fb:2e:a2:e9:f2:e8:4d:41", "sfLGlGvut9VpAgZZ76orcA==", "TeleSec ServerPass Class 2 CA", "www.autentapp.de", QMultiMap((1, "www.autentapp.de")), QDateTime(2021-11-08 12:30:21.000 UTC Qt::UTC), QDateTime(2022-11-12 23:59:59.000 UTC Qt::UTC)) network 2022.09.11 12:27:12.718 9020 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ssl session: "c7efa490faf88ec9f5ea29cf8440b178cfbdac9d37c202412da15ea6d2c5acd8" network 2022.09.11 12:27:12.718 9020 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Handshake of tls connection done! default 2022.09.11 12:27:12.718 9020 TlsChecker::hasValidCertificateKeyLength(network/TlsChecker.cpp:46) : Check certificate key of type "Rsa" and key size 4096 default 2022.09.11 12:27:12.718 9020 TlsChecker::isValidKeyLength(network/TlsChecker.cpp:82) : Minimum requested key size 2000 default 2022.09.11 12:27:12.718 9020 TlsChecker::hasValidEphemeralKeyLength(network/TlsChecker.cpp:61) : Check ephemeral key of type "Ec" and key size 256 default 2022.09.11 12:27:12.718 9020 TlsChecker::isValidKeyLength(network/TlsChecker.cpp:82) : Minimum requested key size 250 Linux: fileprovider 2022.09.11 12:10:12.254 92371 C UpdatableFile::writeDataToFile(file_provider/UpdatableFile.cpp:214) : File already exists, aborting writing file: "/home/julas/.cache/AusweisApp2//supported-providers.json_20220908074822" fileprovider 2022.09.11 12:10:12.254 92371 C UpdatableFile::onDownloadSuccess(file_provider/UpdatableFile.cpp:175) : Could not write downloaded file "/home/julas/.cache/AusweisApp2//supported-providers.json_20220908074822" card 2022.09.11 12:10:16.480 92371 W ...ertificateChainBuilder(card/base/asn1/CVCertificateChainBuilder.cpp:41) : No valid chains could be built card 2022.09.11 12:10:16.480 92371 W ...ertificateChainBuilder(card/base/asn1/CVCertificateChainBuilder.cpp:41) : No valid chains could be built support 2022.09.11 12:10:16.480 92371 I AppController::startNewWorkflow(core/controller/AppController.cpp:453) : Started new workflow SELF qml 2022.09.11 12:10:16.480 92371 W ApplicationModel::keepScreenOn(ui/qml/ApplicationModel.cpp:389) : NOT IMPLEMENTED: true qml 2022.09.11 12:10:16.568 92371 W (/qml/Governikus/View/BaseController.qml:48) : No focus item found using TitleBar network 2022.09.11 12:10:16.778 92371 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used session cipher QSslCipher(name=ECDHE-RSA-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.09.11 12:10:16.779 92371 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used session protocol: "TlsV1_2" network 2022.09.11 12:10:16.779 92371 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ephemeral server key: QSslKey(PublicKey, EC, 256) network 2022.09.11 12:10:16.779 92371 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used peer certificate: QSslCertificate("3", "02:e6:2a:98:5f:8a:17:65:fb:2e:a2:e9:f2:e8:4d:41", "sfLGlGvut9VpAgZZ76orcA==", "TeleSec ServerPass Class 2 CA", "www.autentapp.de", QMultiMap((1, "www.autentapp.de")), QDateTime(2021-11-08 12:30:21.000 UTC Qt::UTC), QDateTime(2022-11-12 23:59:59.000 UTC Qt::UTC)) network 2022.09.11 12:10:16.779 92371 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ssl session: "022660d31a7215e11f9344d90a1e2af5859b717847f592fbd196389114724ce8" network 2022.09.11 12:10:16.779 92371 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Handshake of tls connection done! network 2022.09.11 12:10:17.678 92371 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used session cipher QSslCipher(name=RSA-PSK-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.09.11 12:10:17.678 92371 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used session protocol: "TlsV1_2" network 2022.09.11 12:10:17.678 92371 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used ephemeral server key: network 2022.09.11 12:10:17.678 92371 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used peer certificate: QSslCertificate("3", "74:ce:fd:83:93:52:da:5a:2a:0e:39:35:9c:00:ae:e7", "La6+dWJjNmnRa33ZTRkSaw==", "D-TRUST CA 2-2 EV 2016", "prod.governikus-eid.de", QMultiMap((1, "prodpaos.governikus-eid.de")(1, "prod2.governikus-eid.de")(1, "prod2paos.governikus-eid.de")(1, "prod3.governikus-eid.de")(1, "prod3paos.governikus-eid.de")(1, "prod4.governikus-eid.de")(1, "prod4paos.governikus-eid.de")(1, "prod.governikus-eid.de")), QDateTime(2022-06-14 08:13:14.000 UTC Qt::UTC), QDateTime(2023-06-17 08:13:14.000 UTC Qt::UTC)) network 2022.09.11 12:10:17.678 92371 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used ssl session: "2ae215d1661f3b5a586ae20a0bfb0176d301e22238e70e20254b90539317e038" network 2022.09.11 12:10:17.678 92371 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Handshake of tls connection done! card 2022.09.11 12:10:18.149 92371 C ecdsapublickey_st::createKey(card/base/asn1/EcdsaPublicKey.cpp:306) : Cannot fetch data for pkey card 2022.09.11 12:10:18.149 92371 C SignatureChecker::checkSignature(card/base/asn1/SignatureChecker.cpp:70) : Cannot fetch signing key card 2022.09.11 12:10:18.149 92371 C SignatureChecker::check(card/base/asn1/SignatureChecker.cpp:47) : Certificate verification failed: "DECVCAeID00102" default 2022.09.11 12:10:18.149 92371 C ...PreVerification::run(workflows/base/states/StatePreVerification.cpp:76) : Pre-verification failed: signature check failed Things that are interesting: - Windows ignores SSL errors - Windows mentions a self-signed certificate - Linux has a blank entry for the ephemeral server key
FEDORA-2022-515a71a545 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-f83b2ce82b has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-4ce7878f2d has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to Fedora Update System from comment #17) > FEDORA-2022-f83b2ce82b has been pushed to the Fedora 36 stable repository. > If problem still persists, please make note of it in this bug report. i just installed it. The error still persists. ### Application: AusweisApp2 ### Application Version: 1.24.1 ### System: Fedora Linux 36 (Thirty Six) ### Kernel: 5.19.8-200.fc36.x86_64 ### Architecture: x86_64 OpenSSL Version: OpenSSL 3.0.5 5 Jul 2022 network 2022.09.13 22:16:55.695 4096 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used session cipher QSslCipher(name=ECDHE-RSA-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.09.13 22:16:55.695 4096 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used session protocol: "TlsV1_2" network 2022.09.13 22:16:55.696 4096 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ephemeral server key: QSslKey(PublicKey, EC, 256) network 2022.09.13 22:16:55.696 4096 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used peer certificate: QSslCertificate("3", "02:e6:2a:98:5f:8a:17:65:fb:2e:a2:e9:f2:e8:4d:41", "sfLGlGvut9VpAgZZ76orcA==", "TeleSec ServerPass Class 2 CA", "www.autentapp.de", QMultiMap((1, "www.autentapp.de")), QDateTime(2021-11-08 12:30:21.000 UTC Qt::UTC), QDateTime(2022-11-12 23:59:59.000 UTC Qt::UTC)) network 2022.09.13 22:16:55.696 4096 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Used ssl session: "47a9e3eb1323a4c7beac6075af0241ad605877f3d01a51c4b91135f1b1490ade" network 2022.09.13 22:16:55.696 4096 I ...oken::onSslHandshakeDone(workflows/base/states/StateGetTcToken.cpp:121) : Handshake of tls connection done! network 2022.09.13 22:16:56.645 4096 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used session cipher QSslCipher(name=RSA-PSK-AES256-GCM-SHA384, bits=256, proto=TLSv1.2) network 2022.09.13 22:16:56.645 4096 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used session protocol: "TlsV1_2" network 2022.09.13 22:16:56.645 4096 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used ephemeral server key: network 2022.09.13 22:16:56.646 4096 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used peer certificate: QSslCertificate("3", "74:ce:fd:83:93:52:da:5a:2a:0e:39:35:9c:00:ae:e7", "La6+dWJjNmnRa33ZTRkSaw==", "D-TRUST CA 2-2 EV 2016", "prod.governikus-eid.de", QMultiMap((1, "prodpaos.governikus-eid.de")(1, "prod2.governikus-eid.de")(1, "prod2paos.governikus-eid.de")(1, "prod3.governikus-eid.de")(1, "prod3paos.governikus-eid.de")(1, "prod4.governikus-eid.de")(1, "prod4paos.governikus-eid.de")(1, "prod.governikus-eid.de")), QDateTime(2022-06-14 08:13:14.000 UTC Qt::UTC), QDateTime(2023-06-17 08:13:14.000 UTC Qt::UTC)) network 2022.09.13 22:16:56.646 4096 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Used ssl session: "4e768262addc40721284f08e438bce4907d2b2ff25dbdd1faa907e32e0e43fd4" network 2022.09.13 22:16:56.646 4096 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Handshake of tls connection done! card 2022.09.13 22:16:57.049 4096 C ecdsapublickey_st::createKey(card/base/asn1/EcdsaPublicKey.cpp:306) : Cannot fetch data for pkey card 2022.09.13 22:16:57.049 4096 C SignatureChecker::checkSignature(card/base/asn1/SignatureChecker.cpp:70) : Cannot fetch signing key card 2022.09.13 22:16:57.049 4096 C SignatureChecker::check(card/base/asn1/SignatureChecker.cpp:47) : Certificate verification failed: "DECVCAeID00102" default 2022.09.13 22:16:57.049 4096 C ...PreVerification::run(workflows/base/states/StatePreVerification.cpp:76) : Pre-verification failed: signature check failed
It's still the same problem. OpenSSL fails because the CV-Certificate (NOT TLS) uses elliptic curves that was disabled in OpenSSL. You need to enable that. Don't be confused by TLS ciphers in the log. This isn't the problem - as you can see the TLS connection was successful. :-)
(In reply to aklitzing from comment #20) > It's still the same problem. OpenSSL fails because the CV-Certificate (NOT > TLS) uses elliptic curves that was disabled in OpenSSL. You need to enable > that. Don't be confused by TLS ciphers in the log. This isn't the problem - > as you can see the TLS connection was successful. :-) Thanks. I tried that. But i can not get pass the not declared Error for ADD_TEST(char2_field_tests); ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests)); I went back to AusweisApp2-1.22.3-1.fc35.x86_64. Now it is working. At least at the moment.
I can confirm that this problem goes away if locally-rebuilt, not hobbled openssl is used.
(In reply to Julian Sikorski from comment #22) > I can confirm that this problem goes away if locally-rebuilt, not hobbled > openssl is used. Thank you for sharing this discovery. As AusweisApp2 still works with certain card readers on Fedora 35 this would mean that OpenSSl is even more crippled on Fedora 36 than Fedora 35. At least recent articles on the legal mailing list indicate that things may improve soon.
Problem still exists even on F37: rpm -q AusweisApp2 AusweisApp2-1.24.4-2.fc37.x86_64 network 2022.12.12 22:08:18.273 26473 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Handshake of tls connection done! card 2022.12.12 22:08:18.670 26473 C ecdsapublickey_st::createKey(card/base/asn1/EcdsaPublicKey.cpp:306) : Cannot fetch data for pkey card 2022.12.12 22:08:18.670 26473 C SignatureChecker::checkSignature(card/base/asn1/SignatureChecker.cpp:70) : Cannot fetch signing key card 2022.12.12 22:08:18.670 26473 C SignatureChecker::check(card/base/asn1/SignatureChecker.cpp:47) : Certificate verification failed: "DECVCAeID00102" default 2022.12.12 22:08:18.670 26473 C ...PreVerification::run(workflows/base/states/StatePreVerification.cpp:76) : Pre-verification failed: signature check failed
Created attachment 1935360 [details] Veraltete Version
Problem still exists even on F37 using latest version: rpm -q AusweisApp2 AusweisApp2-1.26.2-2.fc37.x86_64 network 2023.02.08 17:01:04.268 8229 I ...SslHandshakeDone(workflows/base/states/StateGenericSendReceive.cpp:105) : Handshake of tls connection done! card 2023.02.08 17:01:04.693 8229 C ecdsapublickey_st::createKey(card/base/asn1/EcdsaPublicKey.cpp:306) : Cannot fetch data for pkey card 2023.02.08 17:01:04.694 8229 C SignatureChecker::checkSignature(card/base/asn1/SignatureChecker.cpp:70) : Cannot fetch signing key card 2023.02.08 17:01:04.694 8229 C SignatureChecker::check(card/base/asn1/SignatureChecker.cpp:47) : Certificate verification failed: "DECVCAeID00102" default 2023.02.08 17:01:04.695 8229 C ...PreVerification::run(workflows/base/states/StatePreVerification.cpp:76) : Pre-verification failed: signature check failed
FEDORA-2023-931b7f44af has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-931b7f44af
FEDORA-2023-931b7f44af has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-931b7f44af See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-931b7f44af has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
This problem still occurs for me in Fedora 37 when trying to apply for a pin-reset at https://www.pin-ruecksetzbrief-bestellen.de/bestellung/zwischenseite: warnings and errors in log: SslCipherList::operator+=(secure_storage/TlsConfiguration.cpp:27) : Cipher is not supported by OpenSSL and will be ignored: "ECDHE-PSK-AES128-CBC-SHA256" SslCipherList::operator+=(secure_storage/TlsConfiguration.cpp:27) : Cipher is not supported by OpenSSL and will be ignored: "ECDHE-PSK-AES256-CBC-SHA384" UpdatableFile::writeDataToFile(file_provider/UpdatableFile.cpp:214) : File already exists, aborting writing file: "/home/[...]/.cache/AusweisApp2//supported-providers.json_20230222132215" UpdatableFile::onDownloadSuccess(file_provider/UpdatableFile.cpp:175) : Could not write downloaded file "/home/[...]/.cache/AusweisApp2//supported-providers.json_20230222132215" ...ertificateChainBuilder(card/base/asn1/CVCertificateChainBuilder.cpp:41) : No valid chains could be built ...ertificateChainBuilder(card/base/asn1/CVCertificateChainBuilder.cpp:41) : No valid chains could be built ApplicationModel::keepScreenOn(ui/qml/ApplicationModel.cpp:370) : NOT IMPLEMENTED: true (/qml/Governikus/View/BaseController.qml:39) : No focus item found using TitleBar ecdsapublickey_st::createKey(card/base/asn1/EcdsaPublicKey.cpp:306) : Cannot fetch data for pkey SignatureChecker::checkSignature(card/base/asn1/SignatureChecker.cpp:70) : Cannot fetch signing key SignatureChecker::check(card/base/asn1/SignatureChecker.cpp:47) : Certificate verification failed: "DECVCAeID00102" ...PreVerification::run(workflows/base/states/StatePreVerification.cpp:76) : Pre-verification failed: signature check failed If the new version in Fedora 38 fixed this. Could this please be ported to Fedora 37 too?
openssl with Brainpool curves enabled was only built for F38 and later. But in this case this bug should not have been closed, at least not as ERRATA but as NEXTRELEASE.
I can confirm that it is working now on a today from F37 to F38beta updated client system (laptop).