View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1469 [Main CAcert Website] misc major always 2019-10-11 10:38 2020-11-23 09:33
Reporter: mcgiwer Platform: Main CAcert Website  
Assigned To: Ted OS: Linux (Debian based)  
Priority: normal OS Version: stable  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions: see: Steps to reproduce
Summary: CACert.org certificate issues (with valid root certificates installed)
Description: 1. when I attempt to open cacert.org website pages, I recieve a following error every time:

> Secure Connection Failed
>
> An error occurred during a connection to cats.cacert.org. SSL peer was unable to negotiate an acceptable set of security parameters.
>
> Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
>
> The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
> Please contact the website owners to inform them of this problem."

===========

2. when I'm attempting to issue a client certificate, I recieve a following error:

> I didn't receive a valid Certificate Request, please try a different browser.

Please repeair above error's ASAP. Thanks
Tags:
Steps To Reproduce: Enter the website
Additional Information:
System Description Production version of the CAcert website
Attached Files:
Notes
(0005851)
Ted   
2019-10-14 08:09   
(Last edited: 2019-10-14 08:10)
Usually this is caused by the fact that the CAcert root certificates are not installed in the browser, see http://wiki.cacert.org/FAQ/Mess

If you have CAcert root certificates installed (and trusted), there are still occasional problems that the old version of the root certificate is somewhere in traffic, which still used MD5 for self-signature, see http://wiki.cacert.org/HowTo/ReplaceCAcertRootCertificate

If both of these possible causes are eliminated we'd need to know which browser you are using.

(0005852)
mcgiwer   
2019-10-14 09:03   
I use Firefox. Maybe it would be a good idea to make the main site load without SSL as default. This would partially solve the problem.

On the main website should be a information about need of installing the Root certificates to enter the SSL or install a SSL certificate with donsn't require doing that
(0005919)
mcgiwer   
2020-11-23 09:30   
I have removed the old and installed new root certificates of CA cert and independant from it:

1. when I attempt to open cacert.org website pages, I recieve a following error every time:

> Secure Connection Failed
>
> An error occurred during a connection to cats.cacert.org. SSL peer was unable to negotiate an acceptable set of security parameters.
>
> Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
>
> The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
> Please contact the website owners to inform them of this problem."

===========

2. when I'm attempting to issue a client certificate, I recieve a following error:

> I didn't receive a valid Certificate Request, please try a different browser.

Please repeair above error's ASAP. Thanks


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1498 [Main CAcert Website] certificate issuing major always 2020-11-18 18:34 2020-11-18 18:34
Reporter: alkas Platform: Default  
Assigned To: OS: any  
Priority: high OS Version: any  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Mail notices about downloading issued certs contains old roots' fingerprints
Description: Here is an example:
---
Hi Support,

You can collect your certificate for kristen.lss.ie by going to the following location:

https://www.cacert.org/account.php?id=15&cert=814814

If you have not imported CAcert's root certificate, please go to:
https://www.cacert.org/index.php?id=3
Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

Best regards
CAcert.org Support!
---
The "root cert fingerprints" do not agree with those published on the CAcert web (roots page), they are probably old ones.
Tags: certificates
Steps To Reproduce: See th example. It was captured today, 20201118
Additional Information:
System Description Default profile.
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1497 [Main CAcert Website] account administration major always 2020-11-07 10:53 2020-11-10 22:24
Reporter: L10N Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: high OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: OCSP server certificate no more accepted by Mozilla
Description: > Am 28.10.2020 um 13:06 schrieb Bernhard Eisele (priv):
>> Liebes Team,
>>
>> gestern ging noch alles einwandfrei, heute meldet mein Firefox (Version
>> 82.0.1) folgendes:
>>
>> Beim Verbinden mit cacert.org trat ein Fehler auf. Die OCSP-Antwort enthält
>> veraltete Informationen.
>>
>> Fehlercode: SEC_ERROR_OCSP_OLD_RESPONSE
>>
>> Habe dem Rootzertifikat CA Cert Signing Authority das Vertrauen
>> ausgesprochen, komme aber trotzdem nicht weiter.
>>
>> Es scheint wohl vom OCSP-Server eine falsche Antwort zu kommen (meint
>> Firefox), denn Opera funktioniert (noch?)!
>>
>> Es grüßt
>> Bernhard


Bernhard Eisele (priv) @ 28.10.20 13:19:
> Lösung gefunden:
> Unter Einstellungen - Zertifikate musste ich den Auswahlbutton
> Aktuelle Gültigkeit von Zertifikaten durch Anfrage bei OCSP-Server bestätigen
> lassen
> deaktivieren, danach ging es wieder.
>
> Es grüßt alle, die vielleicht in dieselbe Falle tappen
> Bernhard
> PS: Scheint wohl beim Update geändert worden zu sein! Danke, liebe
> Mozilla-Entwickler �


Tags:
Steps To Reproduce:
Additional Information:
System Description Production version of the CAcert website
Attached Files: CAcert-Mozilla-Firefox-Unblock.png (58,705 bytes) 2020-11-07 10:53
http://bugs.cacert.org/file_download.php?file_id=487&type=bug
Notes
(0005915)
L10N   
2020-11-07 10:54   
Betreff: Re: Cacert-Website mit Firefox nicht mehr erreichbar
Datum: Sat, 31 Oct 2020 16:42:11 +0100
Von: Bernd Jantzen
Antwort an: Bernd Jantzen
An: cacert-support@lists.cacert.org


OK, it certainly is not practical that Firefox has changed the default settings
here.

But why does OCSP not work for www.cacert.org? The certificate used to identify
www.cacert.org specifies http://ocsp.cacert.org/ for authority information via
OCSP. So why does it not work? Is there a problem with CAcert's OCSP server? Can
this not be fixed by CAcert instead of telling everybody to deactivate OCSP
checking in Firefox?

And why should it be a good idea to deactivate OCSP checking generally in my
browser? I would guess that this makes my encrypted web connections less secure
because used server certificates might be compromised and revoked without my
browser noticing it.

Best regards,
Bernd
(0005916)
jandd   
2020-11-07 13:03   
(Last edited: 2020-11-07 13:06)
seem like the OCSP responder is using sha1WithRSAEncryption to sign OCSP responses and maybe Firefox does not like this anymore:

openssl ocsp -issuer chain.pem -cert www.cacert.org.pem -url http://ocsp.cacert.org/ -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661
          Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A
          Serial Number: 02E101
    Request Extensions:
        OCSP Nonce:
            04109DE0D1753307C993118853413B773BA4
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = AU, ST = NSW, L = Sydney, O = CAcert Inc., OU = Server Administration, CN = ocsp.cacert.org
    Produced At: Nov 7 12:57:47 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661
      Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A
      Serial Number: 02E101
    Cert Status: good
    This Update: Oct 17 00:05:34 2020 GMT
    Next Update: Nov 9 12:57:47 2020 GMT

    Response Extensions:
        OCSP Nonce:
            04109DE0D1753307C993118853413B773BA4
    Signature Algorithm: sha1WithRSAEncryption
         03:71:f6:90:cc:3b:ce:a6:31:42:53:6f:0b:9c:cb:d7:25:fd:
         eb:b4:dd:50:8b:bb:29:9d:26:14:48:37:84:38:f5:5f:51:65:
         66:45:ea:86:ce:a2:8e:30:e2:43:71:8c:d6:c5:81:79:d5:da:
         9c:35:16:be:df:4a:7f:7a:b0:5d:1a:7b:65:a6:69:74:31:e1:
         f0:42:3e:57:36:c1:b8:1b:a8:37:b5:75:16:79:16:72:d6:4e:
         92:30:e0:55:3c:88:98:fc:2c:84:4a:0d:dc:d0:c6:00:44:d9:
         6e:4f:80:cc:2f:21:34:75:eb:46:4e:ae:a8:c7:2f:38:19:5b:
         71:85:a0:16:3e:ff:6e:08:3b:73:a5:bc:78:d9:f0:51:18:5f:
         64:8c:fb:ab:99:d0:3b:52:d2:bc:ef:c3:a1:7a:01:2a:45:16:
         f4:41:52:02:c0:5d:23:4d:91:20:15:f2:78:db:da:72:7c:99:
         ec:e4:06:75:db:00:66:39:0f:a9:e9:a8:0f:1b:a3:06:14:81:
         8c:70:6b:c6:74:7a:31:56:4a:7b:04:66:96:6b:80:cf:a4:e9:
         eb:a3:4c:09:25:78:8e:46:6b:e9:25:68:da:01:30:f1:fb:5c:
         1c:ed:d0:80:28:56:d1:b5:e4:74:af:7f:dd:6c:4a:81:a3:c1:
         fc:ee:4e:a0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 186781 (0x2d99d)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Validity
            Not Before: Aug 25 14:14:29 2019 GMT
            Not After : Aug 24 14:14:29 2021 GMT
        Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., OU=Server Administration, CN=ocsp.cacert.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9c:c6:d4:6f:e4:23:c7:c3:70:4b:75:1f:e4:fc:
                    ae:f6:62:c4:60:a1:d6:cf:f9:47:40:38:d9:af:06:
                    f5:b3:87:09:ba:07:c8:7a:3b:e3:3a:e2:c1:6b:db:
                    0e:9b:7b:b4:98:04:40:88:c8:e4:20:34:9d:5f:94:
                    ae:0c:a0:05:a1:74:10:3f:1f:93:6d:c5:a0:ce:29:
                    b0:2a:03:6e:ed:3b:d1:9a:7a:f7:0f:a7:b7:39:d7:
                    c3:b4:de:15:67:94:f2:ef:b0:dd:5f:e3:c9:d8:d2:
                    34:0e:5d:44:df:bf:99:d8:5e:60:f4:39:24:8a:fd:
                    5d:c8:46:8d:0a:b1:60:7a:4f:d5:27:30:60:9e:13:
                    06:f8:3a:aa:b3:bb:33:34:6f:84:81:7e:5c:cc:12:
                    89:f2:fe:6e:93:83:fa:8b:ee:ab:36:4c:b6:40:a9:
                    ee:fb:f8:16:5a:55:d1:64:0d:49:da:04:de:d1:c8:
                    ca:ee:5f:24:b1:79:78:b3:9a:88:13:dd:68:51:39:
                    e9:68:31:af:d7:f8:4d:35:6d:60:58:04:42:bb:55:
                    92:18:f6:98:01:a5:74:3b:bc:36:db:20:68:18:b8:
                    85:d4:8b:6d:30:87:4d:d6:33:2d:7a:54:36:1d:57:
                    42:14:5c:7a:62:74:d5:1e:2b:d5:bf:04:f3:ff:ec:
                    03:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, OCSP Signing, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.cacert.org/class3-revoke.crl

    Signature Algorithm: sha512WithRSAEncryption
         44:85:a2:bb:82:6a:26:f7:5b:57:92:7a:d5:35:68:e5:a6:41:
         03:0a:98:89:b0:91:52:bd:fe:ee:7a:be:cf:85:e2:b7:f1:fd:
         13:76:ef:2e:b9:40:e3:58:43:eb:8c:1c:6a:f9:fa:09:2c:45:
         fd:d2:0a:bd:10:db:b2:60:6f:c1:15:d9:d3:95:f4:57:b2:2f:
         48:8a:fa:97:81:1f:ab:b3:ce:86:5a:01:b0:e5:2e:eb:20:09:
         1a:b1:55:73:b8:d8:00:80:ed:a3:6c:68:8d:f8:ba:90:52:47:
         cc:ad:b1:4c:d4:b7:6f:ed:fb:2b:93:eb:16:05:be:1e:a1:f1:
         be:29:0c:00:b4:77:5c:0e:bd:d5:c2:1b:fd:01:c4:c3:0d:5a:
         13:b3:37:6f:01:a6:43:12:29:b7:ff:16:fa:87:a1:af:07:88:
         a5:e3:73:1e:58:f8:a9:2f:9c:5e:86:54:bd:7c:dd:5a:63:ca:
         9a:77:c8:a7:f2:be:fc:79:5b:46:bc:31:f9:b0:2a:47:f3:5d:
         02:ae:ed:62:4d:63:8a:cb:a4:62:57:fb:6d:ab:25:7f:32:75:
         93:2b:57:65:96:7a:7b:fa:b6:93:9f:2c:fa:87:88:af:94:b6:
         3e:39:73:28:25:32:b2:9f:8c:07:10:e7:ed:b7:22:08:d2:40:
         7b:cb:e2:5d:18:5e:2a:aa:ce:77:ac:62:d7:87:b8:38:f1:f8:
         8b:e9:7d:64:40:21:d6:3a:a1:75:38:09:d0:34:7e:74:a4:cf:
         d8:60:0d:9c:3b:1e:a2:c3:1b:04:8e:b8:5f:98:c8:83:4e:8e:
         ac:7e:d4:56:20:4c:5a:7c:0f:ea:c8:de:10:d6:85:7c:e2:e4:
         18:9f:6f:ea:d2:6c:db:bf:12:9a:cd:1b:88:a3:8d:b0:f0:10:
         c7:f0:e3:44:66:b6:f7:9e:dc:1e:c6:a5:9b:c6:ed:e9:8d:15:
         41:16:e9:ae:71:cd:ff:53:69:48:85:a4:55:be:a9:43:05:3f:
         29:3d:d6:de:f9:44:27:7a:5e:56:8a:ce:70:d5:45:7e:49:44:
         40:24:12:96:e9:e3:6a:8f:1e:f4:19:6b:d4:fe:a4:d1:eb:45:
         f6:4a:51:f7:ec:7d:22:b4:4d:a7:4f:b6:df:ac:3f:6f:92:a9:
         1b:1f:1d:f6:36:01:f3:2a:af:d9:7f:05:9e:0c:b3:f7:3c:1a:
         56:86:ab:91:84:b6:c4:7f:92:ba:8d:81:12:d1:0e:69:44:88:
         61:90:ab:96:dd:14:66:43:6b:19:7c:66:ca:34:53:c3:8f:53:
         e0:bc:79:89:b0:8f:65:88:a9:6e:64:fc:c1:58:b8:ba:e0:96:
         b9:c7:c5:f5:9e:85:04:e8
(0005917)
L10N   
2020-11-07 14:00   
Following https://support.mozilla.org/en-US/questions/1237191 from 2018, SHA-1 is "to be disabled". Maybe that happend now?
(0005918)
egal   
2020-11-10 20:29   
(Last edited: 2020-11-10 22:24)
I checked the logfiles of the ocsp-server (and set up a new one in my test-environment):

Firefox tries to verify the certificate by using the OCSP-responder on port 80. Therefore no oscp-server-certificate is questioned.

... but ...

It's the OCSP stapling setting in apache, which breaks the Firefox-OCSP-functionality ...

As it seem, that (at least) one certificate can't be verified, I disabled OCSP stapling temporary, so access to https://www.cacert.org via Firefox is working again.

... to be continued ...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1496 [Main CAcert Website] GPG/PGP minor always 2020-10-31 13:48 2020-10-31 13:48
Reporter: NoSubstitute Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: normal OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: CAcert signed GPG key reports Invalid Digest Algorithm
Description: I'm guessing this could be why.

gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
sig% P X 0xD2BB0D0165D0FD58 2019-09-22 [Invalid digest algorithm]
sig% P 0xD2BB0D0165D0FD58 2020-10-31 [Invalid digest algorithm]

>gpg --version
gpg (GnuPG) 2.2.23
libgcrypt 1.8.6
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/Kim/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Tags:
Steps To Reproduce: Sign a gpg key with the gpg signing feature of cacert.
Import key to gpg.
Check the signatures of the key.
Additional Information:
System Description Production version of the CAcert website
Attached Files: 2020-10-31 142414-CAcert_signed_GPG_key-Invalid_digest_algorithm.png (4,726 bytes) 2020-10-31 13:48
http://bugs.cacert.org/file_download.php?file_id=486&type=bug
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1455 [Main CAcert Website] GPG/PGP minor always 2019-01-09 01:10 2020-10-31 13:25
Reporter: colincogle Platform: Default  
Assigned To: OS: any  
Priority: normal OS Version: any  
Status: new Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: CAcert cannot recognize or sign GPG/PGP keys with EdDSA public keys
Description: I finally created a new keypair with the newest version of GnuPG, and I used the EdDSA algorithm. However, CAcert cannot parse it. While it uploaded successfully, it's been stuck on "pending" for a while. Additionally, the expiration date shows as "0000-00-00 00:00:00."
Tags:
Steps To Reproduce: 1. Create a new EdDSA key with the command: gpg --full-generate-key
2. Upload it to CAcert in hopes of getting it signed.
Additional Information: I have not tested this with ECDSA, ECDH, or ElGamal keys. However, I'd wager that support for those newer types are also lacking.

I tagged this as minor/normal but as the new version of GnuPG trickles out, this may turn into a major/high issue.
System Description Default profile.
Attached Files: 2020-10-31 142414-CAcert_signed_GPG_key-Invalid_digest_algorithm.png (4,726 bytes) 2020-10-31 13:25
http://bugs.cacert.org/file_download.php?file_id=485&type=bug
Notes
(0005731)
Ted   
2019-01-09 15:48   
It's just a wild guess, but I assume that the version of GPG which is installed on the signer is a bit too old to know the new algorithms, does this sound plausible?
(0005732)
colincogle   
2019-01-09 17:39   
That's probably it. Support for ECDH, ECDSA, and EdDSA keys were added in GnuPG 2.1.
(0005856)
SaT   
2019-12-03 07:51   
I stumbled upon this bug today, too. A fresh GPG key with Elliptic Curves cannot be signed, it is pending forever. A RSA key does work.
(0005914)
NoSubstitute   
2020-10-31 13:25   
Signing "RSA key does work."

I wonder if that is still true, though.
I just signed my RSA key today, and when checking the signature in GPGWin it comes back as "Invalid digest Algorithm" where it should say who signed it.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1417 [Main CAcert Website] certificate issuing major always 2016-10-03 17:31 2020-10-29 22:37
Reporter: Wiesshund Platform: PC Windows 10, IE11 Chrome Firef  
Assigned To: Ted OS: Windows 10 Pro 64bit, Ubuntu  
Priority: urgent OS Version: Current  
Status: confirmed Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Unable to generate client certificate
Description: Unable to generate client certificate
Clicking generate keypair in browser results in the error

"I didn't receive a valid Certificate Request, please try a different browser."

This happens in IE11, Edge, Chrome current version, and Firefox current version.
Tags: browser, certificates, html
Steps To Reproduce: log in to cacert.org
click client certificate
click new
check off wanted email address
click agree to terms
click generate keypair within browser

Immediately receive error "I didn't receive a valid Certificate Request, please try a different browser."
Same error occurs in IE11 Edge Chrome and Firefox

Additional Information: CACerts.org is added as trusted site
TLS and SSL are enabled
Tested running Trusted Sites on low security setting in IE
Tried on both 32 and 64 bit versions of all broswers
System Description Production version of the CAcert website
Attached Files: keygen.png (22,621 bytes) 2018-01-07 09:00
http://bugs.cacert.org/file_download.php?file_id=422&type=bug
New Client Certificate.png (175,952 bytes) 2019-09-10 20:50
http://bugs.cacert.org/file_download.php?file_id=467&type=bug
Notes
(0005529)
L10N   
2016-12-24 19:29   
The same bug happend to me to with
- Chromium 55 on Ubuntu 16.04
- Vivaldi 1.6 64 Bit on Ubuntu 16.04
- Edge on Windows 10

But I could create a new certificate with
- Firefox 50.1 on Ubuntu 16.04
(0005534)
L10N   
2016-12-28 10:43   
Some other checks to create new certificates:
it does NOT work with
- Edge 38 on Windows 10
- Opera 42 on Windows 10
- Vivaldi 1.4 on Windows 10

it works still with
- Firefox 48.0 on Windows 10
(0005569)
L10N   
2018-01-07 08:41   
I filed a bug at Chromium and at Vivaldi a few days ago. Following the answer from Chromium:

    Issue 799246 in chromium: Cannot create a certificate with cacert.org
Absender
    Von: asa… via monorail

Updates:
Components: Internals>Network>Certificate
Status: WontFix

Comment 0000003 on issue 799246 by asanka@chromium.org: Cannot create a certificate with cacert.org
https://bugs.chromium.org/p/chromium/issues/detail?id=799246#c3

This site is using the <keygen> element to generate a keypair. This feature is deprecated. See https://www.chromestatus.com/features/5716060992962560

Attachments:
Screen Shot 2018-01-05 at 4.44.07 PM.png 22.1 KB

--
You received this message because:
1. You reported this issue
(0005570)
L10N   
2018-01-07 08:43   
"Since Chrome 49, <keygen>'s default behaviour has been to return the empty string, unless a permission was granted to this page. Removed in Chrome 57."

"IE/Edge do not support <keygen> and have not indicated public signals to support <keygen>. Firefox already gates <keygen> behind a user gesture, but is publicly supportive of removing it. Safari ships <keygen> and has not expressed public views regarding its continued support."

source: https://www.chromestatus.com/features/5716060992962560
(0005571)
L10N   
2018-01-07 09:03   
Further information at https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen

"Deprecated
This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Avoid using it and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time."
(0005572)
L10N   
2018-01-07 09:49   
Alternatives to <keygen>:
https://w3ctag.github.io/client-certificates/
https://w3ctag.github.io/client-certificates/

Other discussions about alternatives:
https://stackoverflow.com/questions/36350954/html-keygen-alternative-generating-key-pair-in-browser
https://security.stackexchange.com/questions/106257/alternatives-to-htmls-deprecated-keygen-for-client-certs

Further readings:
https://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack
(0005574)
gukk_devel   
2018-01-14 15:03   
https://developer.mozilla.org/de/docs/Web/HTML/Element/keygen
https://productforums.google.com/forum/#%21topic/chrome/FGU6TvIgPY0;context-place=forum/chrome
https://support.comodo.com/index.php?/Knowledgebase/Article/View/475/0/which-browser-can-i-use-to-signup-for-a-email-certificate
(0005575)
bjantzen   
2018-01-14 17:40   
Generating keys still works for me with
Firefox 57.0.4 (64-Bit, Linux) installed in openSUSE Leap 42.3.
(0005576)
L10N   
2018-02-10 10:05   
On Fri, 2 Feb 2018 10:29:41 +1100, Peter Yuill <peter AT NO SPAM c.o.> wrote at CAcert Board List:
I went through the process of generating keys and CSR in openssl then
submitting CSR through the advanced section of “New Certificate” and it
worked perfectly for me (using current Firefox). I have to say it is not a
simple solution and it certainly requires a much higher level of technical
skill than the browser solution, but it does work.

I did some research on possible tools to simplify the process and I have a
proposal. As far as I can see the browser route is dead, so we need to look
elsewhere. I am looking at the possibility of a desktop app that would
generate keys and CSR then connect to the cacert.org <http://cacert.org/>
site through a screen scrape library to submit the CSR and store the
certificate back in a local keystone. The one extra step required is to
import the certificate into browsers/mail clients, which should not be
difficult for most people. I am starting work on a cross-platform proof of
concept which I hope to be able to demonstrate in a few weeks.
(0005585)
dops   
2018-04-18 21:23   
"The browser route is dead" - indeed, so solutions running natively on the platforms are necessary.
A technical discussion thread was started here:
https://lists.cacert.org/wws/arc/cacert-devel/2018-04/msg00000.html

Supporting many platforms can be challenging. Because a simple solution is better than none, I'd prefer to have console-based scripts using on-board tools such as openssl (usually available for UNIX-style systems) or certreq (on standard Windows since many years - Vista?) as a baseline. Automating the CAcert certificate request page is not essential for the simple tool variant, where a graphical, more powerful and comfortable variant can complement it and doesn't need to cover platforms on an equal level or have the same robustness.

For UNIX-style systems I created a shell/openssl based solution as proof-of-concept here:
http://70t.de/download/ , file with pattern cacert_client_certificate_<date>.tar.xz (at time of writing cacert_client_certificate_2018-04-11.tar.xz )

Read more on cacert-devel starting here
https://lists.cacert.org/wws/arc/cacert-devel/2018-04/msg00000.html
(0005587)
RogerCPao   
2018-05-02 23:32   
I tried out cacert_client_certificate_2018-04-09.tar.xz. Thanks for creating it. I have a few suggestions/remarks about it.


A)

Multiple inputs of a passphrase are required:
  1. Unlock the key (from the file generated in the first task)
    -----
  2. Set a passphrase for the new certifcate file
  3. Repeat (confirm) the passphrase from 2. above
Input area (sequence of 3 passphrases): [1. Unlock key password]
Enter Export Password: [2. passphrase for new cert]
Verifying - Enter Export Password: [3. repeat 0000002]

The three numbered items should be explicitly numbered and named in each of the prompts that come after. The first prompt of "Input area (sequence of 3 passphrases): " does not indicate that you are supposed to type on the "passphrase to protect the generated key" when generating the RSA private/public key pair.


B)

If ready, press enter to open the certificate with the browser for import.

[
In the case of Firefox 59.0.2 (64-bit), Ubuntu 16.04.4,
a dialog box will ask
What should Firefox do with this file?
(*) Open with [View file (default]
( ) Save File
[ ] Do this automatically for files like this from now on.
[OK]
Questions about passphrase and labels eventually displays
the certificate details but is not imported. I had to go to Firefox's Certificate Manager and
manually [Import...] the newly created new_certificate_$USER.pfx file.
You will need to unlock the .pfx file with the
"Enter Export Password: [2. passphrase for new cert]" from above.
]
(0005588)
RogerCPao   
2018-05-02 23:35   
Oops. That note should have gone to the mailing list where cacert_client_certificate_2018-04-09.tar.xz was posted. There is no edit/delete.
(0005828)
vmbentley   
2019-09-07 18:22   
It is nearly three years since this issue was raised. Has there been no viable alternative process found for generating client certificates without the deprecated keygen tag?

Would it be possible for someone to write a HowTo guide for manually performing the process on the command line using OpenSSL and putting a corresponding CSR submission form on the website for the server side part of the process.
(0005829)
BarryN   
2019-09-07 19:09   
Could something like this be used?

https://pkijs.org/
(0005830)
BarryN   
2019-09-07 19:14   
Here is an example that uses that code:

https://csrhelp.peculiarventures.com/
(0005831)
BarryN   
2019-09-07 19:18   
Here's another option:

https://www.php.net/manual/en/function.openssl-csr-new.php
(0005833)
Ted   
2019-09-08 12:16   
(Last edited: 2019-09-08 12:16)
As a reply to https://bugs.cacert.org/view.php?id=1417#c5828 there indeed is a workaround for this problem.

If you click the "show advanced options" checkbox you can provide a manually created CSR, which makes the keygen tag obsolete. But the process in not really easy or user friendly. See https://wiki.cacert.org/FAQ/CSR as a starting point if you want to try that way.

(0005834)
Ted   
2019-09-08 12:51   
(Last edited: 2019-09-08 12:52)
I had a (very short!) look at the proposals of BarryN.

https://www.php.net/manual/en/function.openssl-csr-new.php will probably not help us, because this is code that runs on the server. It would not be appropriate for our standards to create a keypair on the server and then send it to the browser, because of the additional risk of compromising the key on the server or during transfer. BTW, this is the reason why CSRs have been invented.

https://pkijs.org/ looks more promising to me. As the provided example shows, the library seems to be able to create a keypair and a corresponding CSR locally in the Browser. If the library uses the key storage of the browser for key generation and therefor does not have access to the private key itself, this may be a valid replacement of the keygen tag, since this is exactly what the tag does.

But, first of all, this assumtion has to be verified by a code review. If the library creates the private key "itself", therefor having access to it, this also imposes the risk that the private key is compromised during the creation process.

Another downer is the sentence "Safari, Edge, and IE do not have complete, or correct implementations of Web Crypto.", which once again leaves a significant portion of the browser market uncovered...

Nevertheless, if there's anyone who would like to give it a try it may be worth to do more research in this direction.

(0005835)
vmbentley   
2019-09-08 13:38   
The 'downer sentence' was from 2015. Almost all browsers are supported now. To see what is and isn't supported visit https://caniuse.com/#feat=cryptography
(0005837)
BarryN   
2019-09-09 16:36   
I thought the java script solution might be the better one. I have tested a few browsers and the basic functionality seems to work. According to the chart the current version of IE, Edge, Chrome, Firefox and Safari all have at least basic support.
(0005857)
Ted   
2020-01-06 11:22   
From a mail on the Support mailing list:

Hallo zusammen,

seht Euch mal die Library PKI.js an. Das ist ein Werkzeugkasten in
Javascript für alle Operationen auf X.509 Zertifikaten. Damit kann man
im Browser erzeugen:

* Keypair
* PKCS#10 CSR
* PKCS#12 File

Das PKCS#12 File muss der User dann nur noch in den Browser importieren.
PKI.js kann deutlich mehr, als das alte <keygen>, damit kann man z.B.
auch EC Keys erzeugen.
(0005895)
L10N   
2020-06-27 13:28   
What's the state of play?
What happened to the app from Peter Y?
What happened to the proof of concept from dops?
What about pkijs.org?
What happened to the Java Script solution?
What about the library PKI.js?

As a technical layman, I do not really understand it. The approaches sounded promising. Were they pursued further?
(0005911)
Felixishim   
2020-10-21 12:27   
same here as L10N here and hoping some type of solution would be soon proposed.
(0005912)
Ted   
2020-10-29 21:31   
(Last edited: 2020-10-29 22:37)
Looking into https://pkijs.org/ once more.

It seems possible to create a web page which could replace the key creation with openssl where openssl is not readily available (like on Windows):
- Create a key pair with the generateKey API
- Create a PKCS10 CSR with a user provided data for CommonName and SubjectAltName using the CertificationRequest class of PKIJS
- Show the PEM encoded request to the user for Copy/Paste
- The user must then paste the CSR into the CAcert web page, and use Copy/Paste to copy the created certificate into the PKIJS-based website
- The PKIJS based website combines key and certificate in a PKCS#12 (*.pfx) structure which can be downloaded by the user

This PKCS#12 structure can be imported into Mozilla's certificate database or into the windows certificate storage.

Of course this also has the potential to be integrated in the CAcert web page, which could eliminate the Copy/Paste operations, but I'd consider that as the second step.

The main problem I see is that the creating script knows the created private key and could easily compromise it (intentionally or unintentionally). This is essentially the same as in an openssl based script, but since the script is loaded on demand from some webserver, as well as several libraries, the potential of fishing-like abuse is IMHO considerably greater...

Nevertheless it could be an easier-to-use variant for Windows users.
(0005913)
dops   
2020-10-29 22:26   
Regarding download: Search engines present solutions for locally creating files for "download". The first link looks like a clean and modern solution, which is also later mentioned behind the 2nd link with a longer history:
https://shinglyu.com/web/2019/02/09/js_download_as_file.html
https://stackoverflow.com/questions/3665115/how-to-create-a-file-in-memory-for-user-to-download-but-not-through-server

So should be promising that all private key related operations can be done locally in the browser.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1461 [Blog] text always 2019-04-26 20:53 2020-09-16 21:25
Reporter: L10N Platform: Iiggg  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Hatchek, etc. not displayed
Description: zkouškou" is not displayed. Letters with hatchek or a cercle about an u are replaced with "?".
Tags: blog, unicode
Steps To Reproduce: Put some czech text in the text window. Press the preview button or the publish button. Accents will be replaced by "?".
Additional Information: The example shown in the uploaded pictures was written in LibreOffice, saved as png-picture and published as picture, not as text.
Attached Files: CAcertCATSCzech.png (223,664 bytes) 2019-04-26 20:53
http://bugs.cacert.org/file_download.php?file_id=466&type=bug
Screenshot_2020-08-08 Wikipedie, otevřená encyklopedie.png (96,861 bytes) 2020-08-07 22:11
http://bugs.cacert.org/file_download.php?file_id=476&type=bug
Screenshot_2020-08-08 Add New Post ‹ CAcert Blog — WordPress.png (73,037 bytes) 2020-08-07 22:11
http://bugs.cacert.org/file_download.php?file_id=477&type=bug
Screenshot_2020-08-08 lánek týdne.png (67,158 bytes) 2020-08-07 22:11
http://bugs.cacert.org/file_download.php?file_id=478&type=bug
Notes
(0005883)
jandd   
2020-05-12 20:00   
An idea: maybe the charset of some database tables is not utf8mb4. The database has been migrated from older versions of Wordpress. Needs to be checked by an admin (Dirk or me) we should also check whether wordpress sends the correct encoding in the Content-Type header.
(0005885)
egal   
2020-05-16 20:35   
The "older" tables are "latin1_swedish_ci":

| wp_commentmeta | utf8mb4_unicode_ci |
| wp_postmeta | latin1_swedish_ci |
| wp_terms | latin1_swedish_ci |
| wp_term_relationships | utf8mb4_unicode_ci |
| wp_usermeta | latin1_swedish_ci |
| wp_users | latin1_swedish_ci |
| wp_termmeta | utf8mb4_unicode_ci |
| wp_comments | latin1_swedish_ci |
| wp_posts | latin1_swedish_ci |
| wp_term_taxonomy | latin1_swedish_ci |
| wp_links | latin1_swedish_ci |
| wp_options | latin1_swedish_ci |

Wordpress itself uses utf-8:
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');

as wordpress was updated in april 2020, please test again ...
(0005899)
L10N   
2020-08-07 22:11   
I tested with an article of the main page of cs.wikipedia.org (pic 1 Wikipedia) and copy pasted it into the blog (pic 2 Ad New Post), then clicked on preview (pic 3 lánek). The result is as follows: In Wikipedia all accents/hatcheks are displayed. In the "new post section", they are displayed as well - only in the title not. In the preview are still "?".

You can check in the 2nd line "Arpodvocu" (u with circle on it -> ?), "peceneszke" (c and e with hatchek -> ? [s and z with hatchek is displayed]),


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1493 [Main CAcert Website] website content minor always 2020-08-07 22:31 2020-09-16 21:19
Reporter: L10N Platform:  
Assigned To: OS:  
Priority: high OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Replace Paypal button with IBAN bank account GRKB
Description: Instead of the Paypal buttons should be shown:
CAcert Inc bank account Europe (GRKB) CH02 0077 4010 3947 4420 0
CAcert Inc bank account Australia (Westpac) (already displayed)
-------
Bankenclearing: 774
BIC (SWIFT): GRKBCH2270A

Grisons Cantonal Bank, Coire, Switzerland
Graubündner Kantonalbank, Chur, Schweiz
Banque Cantonale des Grisons, Coire, Suisse
Banca Cantonal Grigione, Coira, Svizzera
Banca Chantunela Grischuna, Cuira, Svizra
Tags:
Steps To Reproduce:
Additional Information:
Attached Files: 0.php (5,507 bytes) 2020-08-10 12:15
http://bugs.cacert.org/file_download.php?file_id=479&type=bug
21.php (2,147 bytes) 2020-08-10 12:15
http://bugs.cacert.org/file_download.php?file_id=480&type=bug
13.php (2,381 bytes) 2020-08-10 12:15
http://bugs.cacert.org/file_download.php?file_id=481&type=bug
5.php (2,864 bytes) 2020-08-10 12:15
http://bugs.cacert.org/file_download.php?file_id=482&type=bug
Notes
(0005901)
L10N   
2020-08-10 11:31   
28.7.2020:
> Ich habe noch nie an der Homepage herumgeschraubt. Aber den Paypal-Knopf
> durch eine IBAN-Nummer zu ersetzen, das traue ich mir noch zu. Könntest
> du mir sagen, wo ich das finde? Vielleicht in einem GIT, wo ich dann
> eine Kopie erstelle, die die hohen Herren dann überprüfen können?
(0005902)
L10N   
2020-08-10 11:32   
29.7.2020:
So einfach ist das nicht ... ;-)

Du braucht eine Bug-Nummer dazu (Mantis) ... und lieferst idealerweise
direkt auch den Patch dazu mit.

Die Sourcen kannst du dir ohne git direkt von www.cacert.org runterladen
(muesste jetzt mal schauen, wo genau der Link ist ... aber irgendwo
"unten rechts").

Ted und ich koennen dann den entsprechenden Review machen, damit Ted das
dann an Critical (mich) schicken kann, damit das dann auch auf
www.cacert.org verewigt wird.

(Wenn du schonmal dabei bist: Wirf bitte bei den Sponsoren das Open
Architecture Network raus (das gibt es nicht mehr) und bau dort einen
Link auf eine Sponsorenseite im wiki ein, wo wir dann weitere (kleinere)
Sponsoren wie abilit.eu (von denen kam der "Luxemburg"-server) oder auch
Einzelpersonen nennen koennen.

machs guat

PS: Die genaue Datei muesste ich auch nachschauen ... wenn du aber die
sourcen hast, kannst du da mit "grep" nach suchen ... ;-)
(0005903)
L10N   
2020-08-10 12:15   
I replaced the paypal button code by the IBAN with the same coding as was given the information about the Westpac bank account:
/pages/index/0.php
/pages/index/13.php
/pages/index/21.php

Furthermore, I removed the paypal button code (it was there to pay for password reset, the link to the wiki remains):
/pages/index/5.php
(I am not shure if this is another bug, but it is an issue for long time.)
(0005910)
L10N   
2020-09-16 21:19   
Following https://wiki.cacert.org/Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/2020-09-03#Minutes

"We [the committee] will show on our homepage, at the top the EU bank account, lower the AU bank account, and Paypal as a third option."

So, the code has to be rewritten again. Sorry, no testing needed at the moment.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1495 [Main CAcert Website] website content block always 2020-09-08 18:44 2020-09-16 21:09
Reporter: cheems_tar Platform:  
Assigned To: OS:  
Priority: none OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: All non-static pages: "This function is currently unavailable. Please come back later."
Description: The website seems to be functionally down, and I see no formal announcements about this.
Tags:
Steps To Reproduce: Visit e.g. http://www.cacert.org/index.php?id=4
Additional Information:
Attached Files: Screenshot from 2020-09-08 13-44-21.png (16,724 bytes) 2020-09-08 18:44
http://bugs.cacert.org/file_download.php?file_id=484&type=bug
Notes
(0005908)
egal   
2020-09-08 21:48   
Filesystem was read-only after Raid failure, further investigations are running.

Server had been rebooted, services running again

Additional Monitoring has been established
(0005909)
L10N   
2020-09-16 21:09   
I checked twice on 03-09-2020 and 16-09-2020 with Firefeox 80.0.1 on Ubuntu. Both times the site was running as normal.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1423 [Main CAcert Website] website content trivial always 2017-02-16 09:30 2020-08-10 14:17
Reporter: L10N Platform: Default  
Assigned To: Ted OS: any  
Priority: normal OS Version: any  
Status: needs review Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Link to an Asian Loan Bank
Description: On the bottom of cacert.org are some logos with links to this organisations as bit, tunix, nlnet, but also open architecture networtk. The open architecture networtk does not exist anymore and the url is redirected to a loan bank institut in Singapore (https://easycredit.com.sg/moneylenders/).

A. The OAN logo should be removed.
B. If the bank pays some subsidies to CAcert, the logo should be replaced by their own logo.
Tags:
Steps To Reproduce:
Additional Information:
System Description Default profile.
Attached Files: sponsorinfo.php (744 bytes) 2020-08-10 14:17
http://bugs.cacert.org/file_download.php?file_id=483&type=bug
Notes
(0005540)
Eva   
2017-03-10 18:18   
I confirm that the link is pointing to a bank, now, which does not seem to have a specific relation to the original project. Further a quick search of mine did not provide any indication that the project continues to be active, but the search was not in depth.

Howerver I believe that about adding and removing of sponsors, board should decide. I advise to request for a confirmation that this should be done by board, before such a fix is done. They also should be those who know if it would be correct to remove the link or to let it point to a new destination of the project (or the correct destination of the bank, but I doubt that).
(0005541)
Eva   
2017-03-10 18:43   
I asked board via public mail how the correct solution would look like:
a) deleting the complete link, including the logo
b) fixing the link to a new location
c) changing the link to directly point to that bank, with correct logo
(probably not desired)
(0005657)
L10N   
2018-11-06 00:05   
The solution should be: remove the link from the logo. The logo itself can remain for the moment (until board decided how to deal with this logos).
(0005658)
L10N   
2018-11-06 00:06   
This problem could be solved together with 0001440. GuKK Devel, can you do that? I am willing to review.
(0005846)
Ted   
2019-09-26 20:43   
Branch bug-1423 is now merged into the testserver installation and can be tested.

Test is quite easy: verify that the Open Architecture Logo ir removed from the bottom of the start page https://test.cacert.org/
Maybe verify that the logo is on no other page.
(0005847)
L10N   
2019-09-26 22:26   
I tested it:
1. Opened https://test.cacert.org/
2. scrolled down
3. did see 3 logos, but not that one from OpenArchitecture.

-> OK
(0005848)
GuKKDevel   
2019-09-27 09:28   
opened test.cacert.org
got the main page with logo of openarchitecture not shown.

looks as expected --> OK
(0005850)
Ted   
2019-10-02 19:28   
Minimum test reports are reached (which should be enough for such a simple change, but don't hesitate to post your report nevertheless!), so I'm putting this in status "needs review"...
(0005904)
L10N   
2020-08-10 12:23   
I completely forgot that I had already tested it and did it again in code on behalf of whatever:
- replaced the link from OpenArchitecture
- added another logo (Cacert) with Link to our wiki page with the smaller sponsors
/includes/sponsorinfo.php
(0005905)
L10N   
2020-08-10 12:31   
I completely forgot that I had already tested it and did it again in code on behalf of egal:
- removed the broken link from OAN
- ad another Logo (CAcert) with link to the wikipage with other sponsors

/includes/sponsorinfo.php
(0005906)
L10N   
2020-08-10 12:51   
Egal asked me to do that (and I didn't remember, that it was already done and I was one of the reviewers). In the attached code is a difference:
- broken link removed (similar)
- new CAcert logo added with link to wiki sponsor page
/includes/sponsorifno.php
(0005907)
L10N   
2020-08-10 14:17   
Egal asked me to do that (and I didn't remember, that it was already done and I was one of the reviewers). In the attached code is a difference:
- broken link removed (similar)
- new CAcert logo added with link to wiki sponsor page
/includes/sponsorifno.php


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1482 [Infrastructure host] general block N/A 2020-06-27 09:30 2020-08-09 09:25
Reporter: SaT Platform: Default  
Assigned To: jandd OS: any  
Priority: urgent OS Version: any  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Limit validity period of new HTTPS certificates to one year
Description: According to the German article from Heise (1), most browser manufacturers will not accept HTTPS certificates anymore after September 1, 2020, if they have a validity period longer than one year. This article mentions other sources from Apple (2) and Google (3) regarding this decision.

CAcert should respect this constraint when issueing SSL server certificates. It could be hard-coded, or the user may be able to select if the certificate has a validity period of e.g. 6 months, 1 year or 2 years.

(1) https://www.heise.de/news/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-1-Jahr-4796599.html
(2) https://support.apple.com/en-us/HT211025
(3) https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784
Tags:
Steps To Reproduce:
Additional Information:
System Description Default profile.
Attached Files:
Notes
(0005894)
L10N   
2020-06-27 13:11   
I have read the comments at Heise and come to the following conclusion:
1. we have to reduce the validity period from September 1 to 398 days (or 396 days - one day margin and every four years leap year)
2. if feasible, offer the validity period at the same time - otherwise later if possible - selectable:
As SaT says: 6/12 months (for web), but also 2/3/ev.5 years for other applications.
See among others the following article at Heise:

https://www.heise.de/forum/heise-online/Kommentare/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-ein-Jahr/Als-ob-nur-Webserver-Browser-Zertifikate-verwenden/posting-36927599/show/
(they write about smtp, imap, ftp, ldap, xmpp, stunnel, and others)

The selection (e.g. radio button) must clearly state "for all purposes, incl. https" or "not suitable for websites/https" next to the duration.
(0005900)
Ted   
2020-08-09 09:25   
I just had a look at Apple's page cited above. There the Statement is "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS."

Chromium's statement is "Enforce publicly trusted TLS server certificates ...", which is not as specific as Apple's, but could be interpreted the same way...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1464 [Main CAcert Website] certificate issuing minor N/A 2019-08-04 16:54 2020-06-27 14:22
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Support ACME protocol for issuing certificates
Description: Request by CAcert board. First step is to evaluate the amount of work needed, then the decision should be made whether to implement the protocol or to postpone it.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005821)
Ted   
2019-08-04 17:00   
Start for research is Wikipedia https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment, the corresponding RFC seems to be https://tools.ietf.org/html/rfc8555
(0005822)
Ted   
2019-08-12 10:43   
I have given the RFC a first cursorry reading. My findings are recorded in the WiKi at https://wiki.cacert.org/Software/Projects/Bug%231464%3A%20ACME%20protocol

Feel free to add your own findings there.

As a (preliminary!) summary, I guess that there will be some work to do, implementing extensions to the CAcert website as well as implementing the protocol interface itself, probably several days of work, but that the job itself will not be impossible.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
775 [Main CAcert Website] certificate issuing minor have not tried 2009-09-05 10:25 2020-06-27 14:15
Reporter: Bas van den Dikkenberg Platform:  
Assigned To: egal OS:  
Priority: normal OS Version:  
Status: needs review Product Version: 2009 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q1  
Reviewed by: Ted
Test Instructions:
Summary: A org ceritficate is only valild one year
Description: When i make an Organisational client certficate its only valid one year this must be two as far i can find in the policy. The policy doesn't specify that its not two year valid.

 
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0001476)
homer   
2009-09-06 12:12   
Hello Bas,

I guess you are right
http://www.cacert.org/index.php?id=19

Best regards,

Guillaume
(0001477)
homer   
2009-09-11 20:14   
Hello Bas,

I confirm the cert lifetime is one year what ever you choose codesigning or not (class 1 or 3 root).

Best regards,

Guillaume
(0001478)
homer   
2009-09-11 20:15   
confirmed Sept 11th 2009
(0002085)
Uli60   
2011-07-05 02:17   
(Last edited: 2011-07-05 11:49)
added note regarding certs issued under Organisation Assurance program are valid for 12 months under
https://wiki.cacert.org/FAQ/Privileges
redirection fix is handled under
https://bugs.cacert.org/view.php?id=897

to update the text, you have to update
https://wiki.cacert.org/FAQ/Privileges

http://www.cacert.org/policy/CertificationPracticeStatement.php
lists Organisation SubRoot -> Expiry of Certificates -> 24 months
for the new root and
Assured Members -> Expiry of Certificates -> 24 months
for the "old" root

http://www.cacert.org/policy/OrganisationAssurancePolicy.php
refers to CPS about cert issuing

affected source code is starting in:
https://cacert1.it-sls.de/account.php?id=16 (client certs)
https://cacert1.it-sls.de/account.php?id=20 (server certs)

probably one of the CommModule scripts needs to be reviewed
eg client.pl (sub calculateDays($)) l.440 ff. counts days based on received assurance points. if >= 50 then 730 days otherwise 180 days.
Does receive organisation users receive assurance points over 50 ?

client.pl l.835 (sub HandleCerts($$)) displays correct calculation:
      my $days=$org?($server?(365*2):365):calculateDays($row{"memid"});
if org (is yes), if server cert then calculate #days = 2 x 365 days = 730
sub calculateDays() will not be called here

(0004603)
INOPIAE   
2014-02-25 07:39   
I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-775
(0005257)
BenBE   
2015-01-21 21:51   
Patch applied to testserver.

The testserver always uses 30 days instead of 730 days.
(0005260)
INOPIAE   
2015-01-21 22:24   
I just create a new org client cert. Duration is 2 years => ok
I just create a new org server cert. Duration is 2 years => ok
=>ok
(0005261)
Uli60   
2015-01-21 22:30   
renewed Org.Server cert => now valid for 2 years
renewed Org.Client cert => now valid for 2 years
(0005816)
Ted   
2019-07-17 07:42   
There has been an explicit request on the support mailing list for longer lasting org certificates, so I'm trying to revive this case...
(0005817)
Ted   
2019-07-21 21:15   
The changes checked in by INOPIAE in his commit 900a6f2b9ea899bcf66cbc47848d6a8057bcaca0
 five years ago are quite minimal.

I guess the easiest way to get it compatible to the current code is to manually re-do those changes on the current release branch...
(0005818)
Ted   
2019-07-21 21:25   
Note that Org-server certificates already are valid for 2 years on the production system, only client certs are reduced to 1 year validity...
(0005819)
Ted   
2019-07-21 21:57   
Hmm, indeed rebasing the existing bug-775 worked fine, so I pushed the branch to the GitHub-repository. git.cacert.org is not (yet) updated.
(0005820)
Ted   
2019-07-26 21:07   
bug-775 is now merged into test-1442 and installed on the (old) testserver, so it may once more be tested...
(0005823)
Golffies   
2019-08-22 15:20   
[Second attempt to submit the test report; previous drafted report got lost when submitting it, thanks to an "invalid authentication token" issue; some inaccuracies may have then been added to the present report, when re-writing it yet another time.]

Test report


1. Tested URL: https://test.cacert.org


2. Pre-requisites - Set #1:

2.1. having user's e-mail address been verified;
2.2. having been assured by other Assurers, up to 100 points;
2.3. being an Assurer, i.e having passed CATS;
2.4. being an Organisation Assurer.

All pre-requisites fulfilled by tuning existing user account registered on https://test.cacert.org through the Test Manager available at https://mgr.test.cacert.org:14843.


3. Pre-requisites - Set 0000002:

3.1. Having registered an Organisation;
3.2. Having defined yourself as an Administrator for that Organisation;
3.3. Having defined a Domain for that Organisation;

All prerequisites fulfilled by registering the related information on https://test.cacert.org.


4. Organisation Server Certificate - Steps which have been completed:

4.1. off-line preparing a CSR certificate with openssl;
4.2. requesting a new certificate under the Org Server Certs menu;
4.3. pasting the CSR in PEM format to the corresponding field;
4.4. choosing Class Root 1 as signing certificate;
4.5. choosing SHA512 as signature algorithm;
4.6. clicking on Submit button;
4.7. reviewing and confirming Organisation details on next screen;
4.8. getting a PEM on-screen copy of the Org Server generated certificate;
4.9. off-line reading the validity period of the certificate with openssl;
4.10. displaying the list of existing Server certificates under the Org Server Certs menu;
4.11. on-line reading the validity period of the considered certificate;
4.12. comparing the on-line (test.cacert.org) expiry dates with the off-line (openssl) expiry dates.

Results are given at the end of the report.


5. Organisation Client Certificate - steps completed:

5.1. off-line preparing a CSR certificate with openssl;
5.2. requesting a new certificate under the Org Client Certs menu;
5.3. entering required personal details;
5.4. keeping Class Root 3 (default) as signing certificate;
5.5. keeping SHA256 (default) as signature algorithm;
5.6. clicking on Next button;
5.7. pasting the same as previously CSR in PEM format to the corresponding field;
5.8. clicking on Submit CSR button;
5.9. getting a PEM on-screen copy of the Org Client generated certificate;
5.10. off-line reading the validity period of the certificate with openssl;
5.11. displaying the list of existing Client certificates under the Org Client Certs menu;
5.12. on-line reading the validity period of the considered certificate;
5.13. comparing the on-line (test.cacert.org) expiry dates with the off-line (openssl) expiry dates.

Results are given at the end of the report.


6. Observed results

6.1. Org Server Cert result to 0000004.9: [PASSED]

        Validity
            Not Before: Aug 22 09:54:00 2019 GMT
            Not After : Aug 21 09:54:00 2021 GMT

6.2. Org Server Cert result to 0000004.11: [PASSED]

        Expires
        2021-08-21 09:54:00

6.3. Org Server Cert result to 0000004.12: [PASSED]

        Not After : Aug 21 09:54:00 2021 GMT
        =
        2021-08-21 09:54:00


6.4 Org Client Cert result to 0000005.10: [PASSED]

        Validity
            Not Before: Aug 22 11:26:19 2019 GMT
            Not After : Aug 21 11:26:19 2021 GMT

6.5 Org Client Cert result to 0000005.12: [PASSED]

        Expires
        2021-08-21 11:26:19

6.6 Org Client Cert result to 0000005.13: [PASSED]

        Aug 21 11:26:19 2021 GMT
        =
        2021-08-21 11:26:19


7.1. Copy of the Org Server generated certificate:

7.1.1. Certificate in text format

$ openssl x509 -text -noout -in 2019-08-22_OrgaServCert.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 20697 (0x50d9)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Aug 22 09:54:00 2019 GMT
            Not After : Aug 21 09:54:00 2021 GMT
        Subject: C=FR, ST=Ile de France, L=Paris, O=Ellis BBS, CN=ellis.siteparc.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:96:67:e1:d1:6a:69:05:c8:f5:ea:2f:a9:0d:7a:
                    21:f6:57:2d:24:15:aa:2f:2c:c5:85:79:fe:6f:5a:
                    9a:8c:e6:d4:65:2e:63:b5:ac:39:19:56:53:f9:4d:
                    56:56:80:db:91:5a:d6:de:9d:80:63:e1:00:20:e8:
                    9c:3c:07:5b:1d:67:31:76:f4:06:bb:74:78:d5:57:
                    0e:c9:3c:73:4c:0c:ac:32:8b:0b:8b:20:9b:d5:6e:
                    76:e9:cb:7d:df:5a:07:91:d2:aa:9b:da:59:62:87:
                    d2:b1:fb:f9:42:54:c0:4c:b5:53:5e:2a:85:5a:c2:
                    00:f7:d6:11:db:62:6c:b6:00:92:36:d0:0e:37:43:
                    87:48:04:9f:f9:80:c6:9b:37:e5:6c:6f:e9:c4:5a:
                    3a:1e:2e:be:8c:8d:2d:ad:e6:4c:35:e2:eb:87:e3:
                    b7:50:f5:2d:71:a3:ae:f6:36:7e:53:72:d9:aa:45:
                    0d:4e:eb:4e:cb:ee:c8:9c:19:f8:7f:e9:13:6b:54:
                    df:8f:8e:8b:57:51:a3:c7:26:24:e1:6f:90:dd:e8:
                    3a:f1:a9:01:25:a4:f4:05:3c:73:07:dd:3d:6f:b6:
                    ec:27:a2:f0:c8:27:7a:9a:96:e3:cc:35:1c:1a:df:
                    45:6b:fd:4b:27:05:b1:74:49:b4:b4:f4:43:db:2c:
                    e0:07
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:ellis.siteparc.fr, othername:<unsupported>
    Signature Algorithm: sha512WithRSAEncryption
         b2:e5:64:26:21:82:f0:1c:4d:87:3c:b3:fe:27:91:6d:8b:66:
         4a:a5:88:ca:65:20:29:14:38:82:ea:cf:e8:94:2f:77:00:4e:
         f5:cb:d7:9f:1b:b7:f1:a9:3b:f4:81:35:7a:05:87:9d:c5:05:
         97:04:a2:16:f6:08:aa:be:6b:4b:61:9b:c5:93:4e:d0:ca:f8:
         bd:95:ab:43:59:13:d9:ff:b3:89:b5:8c:e3:bb:11:20:82:e4:
         e7:c8:02:66:53:88:08:e2:33:9c:3b:52:f0:ec:2e:b2:a4:fc:
         7f:cf:9b:9e:28:8a:2c:41:1a:74:1a:ba:06:32:1f:42:0a:01:
         60:a4:08:7f:71:ec:e0:b3:9a:33:2f:3d:6d:93:2d:01:e5:65:
         b4:07:e8:f7:dc:8b:96:43:c4:ff:17:16:38:79:ca:00:d6:0b:
         99:01:f8:ea:29:e7:7c:e3:e1:42:eb:d5:e5:3e:fd:76:fa:6b:
         f3:f1:fb:08:ab:58:56:fa:4b:e8:dc:ec:64:eb:4e:2b:fc:e2:
         0b:a0:85:56:f9:07:02:a4:64:1e:25:35:c2:35:b4:9a:e1:77:
         77:6e:28:4f:ac:a5:c0:7d:89:a6:4f:0a:4f:3c:b0:ab:c1:a1:
         52:da:2b:26:c2:bb:a8:15:09:c9:97:06:03:d8:87:98:ca:25:
         e5:90:cf:86:73:0a:79:f0:98:12:40:18:be:8d:44:f1:c6:f4:
         7c:79:d3:b0:67:5d:20:a8:35:c3:52:81:83:12:e0:62:90:db:
         a4:19:e1:34:42:7e:ed:9b:7a:cb:91:94:e6:16:be:b6:15:28:
         0f:c8:72:cd:fa:1a:b4:df:82:d5:4e:55:8f:d2:78:69:de:b5:
         f1:5f:87:3d:b3:d7:db:aa:09:4d:c7:02:5a:18:ac:ae:d0:86:
         3e:e3:56:a1:b5:6e:0b:d9:62:9e:a4:8f:fd:c1:65:1b:db:3d:
         f6:2c:92:ed:30:13:8f:31:d8:c0:92:6f:a9:c9:5d:ee:ab:ff:
         f3:d1:39:f8:67:74:45:f4:a9:18:26:20:ce:25:ce:1f:b8:67:
         9c:67:b8:16:f3:b1:0e:b5:cf:8b:96:88:12:2d:4b:5c:6e:61:
         00:d3:67:34:2d:08:51:a2:3f:5a:18:fe:e9:e7:9c:e4:b9:0e:
         07:1f:cc:82:e3:79:d7:b5:8d:cf:5c:dc:2e:ee:f0:48:8e:8f:
         3c:1c:65:da:9f:76:85:19:2a:5c:20:2b:59:d5:6c:9b:68:8c:
         b5:e3:ac:a6:91:95:df:92:fa:bc:72:61:ce:5f:a9:7a:a2:6a:
         66:ee:07:03:2d:61:fe:9b:64:88:46:dc:bd:9d:07:7e:22:cf:
         e5:90:bf:60:68:d8:5f:55

7.1.2. Certificate in PEM format

-----BEGIN CERTIFICATE-----
MIIFaDCCA1CgAwIBAgICUNkwDQYJKoZIhvcNAQENBQAwgYcxCzAJBgNVBAYTAkFV
MRgwFgYDVQQIEw9OZXcgU291dGggV2FsZXMxGjAYBgNVBAoTEUNBY2VydCBUZXN0
c2VydmVyMSEwHwYDVQQLExhodHRwOi8vY2FjZXJ0MS5pdC1zbHMuZGUxHzAdBgNV
BAMTFkNBY2VydCBUZXN0c2VydmVyIFJvb3QwHhcNMTkwODIyMDk1NDAwWhcNMjEw
ODIxMDk1NDAwWjBlMQswCQYDVQQGEwJGUjEWMBQGA1UECAwNSWxlIGRlIEZyYW5j
ZTEOMAwGA1UEBwwFUGFyaXMxEjAQBgNVBAoMCUVsbGlzIEJCUzEaMBgGA1UEAwwR
ZWxsaXMuc2l0ZXBhcmMuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCWZ+HRamkFyPXqL6kNeiH2Vy0kFaovLMWFef5vWpqM5tRlLmO1rDkZVlP5TVZW
gNuRWtbenYBj4QAg6Jw8B1sdZzF29Aa7dHjVVw7JPHNMDKwyiwuLIJvVbnbpy33f
WgeR0qqb2llih9Kx+/lCVMBMtVNeKoVawgD31hHbYmy2AJI20A43Q4dIBJ/5gMab
N+Vsb+nEWjoeLr6MjS2t5kw14uuH47dQ9S1xo672Nn5TctmqRQ1O607L7sicGfh/
6RNrVN+PjotXUaPHJiThb5Dd6DrxqQElpPQFPHMH3T1vtuwnovDIJ3qaluPMNRwa
30Vr/UsnBbF0SbS09EPbLOAHAgMBAAGjgf4wgfswDAYDVR0TAQH/BAIwADAOBgNV
HQ8BAf8EBAMCA6gwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUFBwMBBglghkgB
hvhCBAEGCisGAQQBgjcKAwMwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdo
dHRwOi8vb2NzcC5jYWNlcnQub3JnLzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8v
Y3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDA9BgNVHREENjA0ghFlbGxpcy5zaXRl
cGFyYy5mcqAfBggrBgEFBQcIBaATDBFlbGxpcy5zaXRlcGFyYy5mcjANBgkqhkiG
9w0BAQ0FAAOCAgEAsuVkJiGC8BxNhzyz/ieRbYtmSqWIymUgKRQ4gurP6JQvdwBO
9cvXnxu38ak79IE1egWHncUFlwSiFvYIqr5rS2GbxZNO0Mr4vZWrQ1kT2f+zibWM
47sRIILk58gCZlOICOIznDtS8OwusqT8f8+bniiKLEEadBq6BjIfQgoBYKQIf3Hs
4LOaMy89bZMtAeVltAfo99yLlkPE/xcWOHnKANYLmQH46innfOPhQuvV5T79dvpr
8/H7CKtYVvpL6NzsZOtOK/ziC6CFVvkHAqRkHiU1wjW0muF3d24oT6ylwH2Jpk8K
Tzywq8GhUtorJsK7qBUJyZcGA9iHmMol5ZDPhnMKefCYEkAYvo1E8cb0fHnTsGdd
IKg1w1KBgxLgYpDbpBnhNEJ+7Zt6y5GU5ha+thUoD8hyzfoatN+C1U5Vj9J4ad61
8V+HPbPX26oJTccCWhisrtCGPuNWobVuC9linqSP/cFlG9s99iyS7TATjzHYwJJv
qcld7qv/89E5+Gd0RfSpGCYgziXOH7hnnGe4FvOxDrXPi5aIEi1LXG5hANNnNC0I
UaI/Whj+6eec5LkOBx/MguN517WNz1zcLu7wSI6PPBxl2p92hRkqXCArWdVsm2iM
teOsppGV35L6vHJhzl+peqJqZu4HAy1h/ptkiEbcvZ0HfiLP5ZC/YGjYX1U=
-----END CERTIFICATE-----


7.2. Copy of the Org Client generated certificate:

7.2.1. Certificate in text format

$ openssl x509 -text -noout -in 2019-08-22_OrgaClientCert.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 23477 (0x5bb5)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3
        Validity
            Not Before: Aug 22 11:26:19 2019 GMT
            Not After : Aug 21 11:26:19 2021 GMT
        Subject: C=FR, ST=Ile de France, L=Paris, O=Ellis BBS, OU=Gro\xC3\x9Fe Katastrophe, CN=John Doe (The Original!)/emailAddress=John.Doe@ellis.siteparc.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:96:67:e1:d1:6a:69:05:c8:f5:ea:2f:a9:0d:7a:
                    21:f6:57:2d:24:15:aa:2f:2c:c5:85:79:fe:6f:5a:
                    9a:8c:e6:d4:65:2e:63:b5:ac:39:19:56:53:f9:4d:
                    56:56:80:db:91:5a:d6:de:9d:80:63:e1:00:20:e8:
                    9c:3c:07:5b:1d:67:31:76:f4:06:bb:74:78:d5:57:
                    0e:c9:3c:73:4c:0c:ac:32:8b:0b:8b:20:9b:d5:6e:
                    76:e9:cb:7d:df:5a:07:91:d2:aa:9b:da:59:62:87:
                    d2:b1:fb:f9:42:54:c0:4c:b5:53:5e:2a:85:5a:c2:
                    00:f7:d6:11:db:62:6c:b6:00:92:36:d0:0e:37:43:
                    87:48:04:9f:f9:80:c6:9b:37:e5:6c:6f:e9:c4:5a:
                    3a:1e:2e:be:8c:8d:2d:ad:e6:4c:35:e2:eb:87:e3:
                    b7:50:f5:2d:71:a3:ae:f6:36:7e:53:72:d9:aa:45:
                    0d:4e:eb:4e:cb:ee:c8:9c:19:f8:7f:e9:13:6b:54:
                    df:8f:8e:8b:57:51:a3:c7:26:24:e1:6f:90:dd:e8:
                    3a:f1:a9:01:25:a4:f4:05:3c:73:07:dd:3d:6f:b6:
                    ec:27:a2:f0:c8:27:7a:9a:96:e3:cc:35:1c:1a:df:
                    45:6b:fd:4b:27:05:b1:74:49:b4:b4:f4:43:db:2c:
                    e0:07
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            Netscape Comment:
                To get your own certificate for FREE head over to http://www.CAcert.org
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                E-mail Protection, TLS Web Client Authentication, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://test.cacert.org/test-class3-revoke.crl

            X509v3 Subject Alternative Name:
                email:John.Doe@ellis.siteparc.fr
    Signature Algorithm: sha256WithRSAEncryption
         c0:11:7f:12:84:96:65:b3:70:cc:6c:5b:c6:ca:9a:18:07:d6:
         1e:c5:58:34:46:0d:1d:e9:7d:40:40:a4:65:cf:51:17:d3:ec:
         8f:fa:a3:3c:d2:8b:69:d3:26:cb:4a:7e:a9:13:6c:67:b4:70:
         54:86:55:f8:20:08:49:47:db:2b:ba:f3:9a:aa:a2:0b:60:eb:
         b0:f2:70:70:c6:a5:4c:e4:ce:f0:db:77:48:8f:e5:3c:b4:7d:
         90:60:18:cd:41:d3:74:07:1b:1e:33:e8:bb:cd:2d:c9:5a:4a:
         8c:4a:61:3d:9c:c0:ea:6e:e4:9b:95:04:05:97:c0:40:96:3e:
         43:5b:ca:c5:2a:21:59:6f:79:22:d0:14:b0:72:97:30:56:07:
         3f:26:59:06:98:b4:cf:91:0b:38:b5:ea:26:a7:9b:a2:35:65:
         71:6b:38:c6:6d:54:59:44:bd:9a:71:a4:c0:64:c9:70:78:0e:
         2b:61:07:82:19:68:e9:46:70:fd:4e:73:78:0c:6c:9b:3e:2a:
         cb:d1:55:65:08:c9:b7:d5:d9:53:54:d1:af:d1:56:12:3c:eb:
         e6:b5:ad:e3:7b:0e:f6:10:1e:b6:e4:98:bf:46:9c:40:48:6f:
         b4:cb:c7:b2:9b:9b:2f:06:3d:0a:14:21:35:c5:88:73:75:52:
         a9:3d:ab:00:8a:6d:2d:d5:88:3c:01:2f:e6:33:5a:2a:db:c8:
         59:5e:02:e1:e7:3d:17:1a:0f:e3:54:eb:86:24:29:f5:fa:5c:
         c0:f0:e1:45:2f:78:62:0e:41:da:ca:e9:fd:b7:a3:92:78:0b:
         6a:0a:00:17:e9:d9:16:18:3f:d8:2e:71:cf:e8:62:e2:98:74:
         ab:90:be:7a:d3:2e:0c:f8:a0:05:72:9c:20:1a:da:2d:ed:4b:
         23:9c:2a:5f:4f:93:d8:5e:f2:0c:49:dc:ac:05:a8:5c:72:8d:
         c8:64:92:20:f1:87:4a:c4:93:ab:4d:e7:f3:f9:32:1d:75:e2:
         56:28:4e:62:8b:b7:e3:f2:49:09:c2:85:b8:37:2e:74:68:53:
         0d:35:0e:97:59:f5:cb:1d:e8:4b:87:0c:9a:f2:42:e2:86:18:
         27:dc:1e:7e:d9:80:63:7d:77:a7:2e:96:f7:f7:de:70:64:a0:
         5b:fc:e3:52:0a:7d:4a:af:2e:ad:21:b6:e1:a8:63:ad:89:50:
         cb:38:c4:d8:f2:c8:1e:79:ce:23:57:a9:85:56:f8:32:bb:04:
         b1:18:3f:61:3d:06:3d:c8:11:c2:26:d7:c6:89:f2:75:8a:b1:
         f6:e2:27:e6:64:be:50:44:2b:b1:b2:5f:19:56:ab:f4:8f:78:
         05:11:f4:c2:32:02:57:ac

7.2.2. Certificate in PEM format

-----BEGIN CERTIFICATE-----
MIIF7DCCA9SgAwIBAgICW7UwDQYJKoZIhvcNAQELBQAwYjEZMBcGA1UEChMQQ0Fj
ZXJ0IFRlc3RzZXZlcjEhMB8GA1UECxMYaHR0cDovL2NhY2VydDEuaXQtc2xzLmRl
MSIwIAYDVQQDExlDQWNlcnQgVGVzdHNlcnZlciBDbGFzcyAzMB4XDTE5MDgyMjEx
MjYxOVoXDTIxMDgyMTExMjYxOVowgbQxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J
bGUgZGUgRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczESMBAGA1UECgwJRWxsaXMgQkJT
MRswGQYDVQQLDBJHcm/Dn2UgS2F0YXN0cm9waGUxITAfBgNVBAMMGEpvaG4gRG9l
IChUaGUgT3JpZ2luYWwhKTEpMCcGCSqGSIb3DQEJARYaSm9obi5Eb2VAZWxsaXMu
c2l0ZXBhcmMuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWZ+HR
amkFyPXqL6kNeiH2Vy0kFaovLMWFef5vWpqM5tRlLmO1rDkZVlP5TVZWgNuRWtbe
nYBj4QAg6Jw8B1sdZzF29Aa7dHjVVw7JPHNMDKwyiwuLIJvVbnbpy33fWgeR0qqb
2llih9Kx+/lCVMBMtVNeKoVawgD31hHbYmy2AJI20A43Q4dIBJ/5gMabN+Vsb+nE
WjoeLr6MjS2t5kw14uuH47dQ9S1xo672Nn5TctmqRQ1O607L7sicGfh/6RNrVN+P
jotXUaPHJiThb5Dd6DrxqQElpPQFPHMH3T1vtuwnovDIJ3qaluPMNRwa30Vr/Usn
BbF0SbS09EPbLOAHAgMBAAGjggFXMIIBUzAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG
+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVh
ZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gw
QAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEE
AYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
dHRwOi8vb2NzcC5jYWNlcnQub3JnMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly90
ZXN0LmNhY2VydC5vcmcvdGVzdC1jbGFzczMtcmV2b2tlLmNybDAlBgNVHREEHjAc
gRpKb2huLkRvZUBlbGxpcy5zaXRlcGFyYy5mcjANBgkqhkiG9w0BAQsFAAOCAgEA
wBF/EoSWZbNwzGxbxsqaGAfWHsVYNEYNHel9QECkZc9RF9Psj/qjPNKLadMmy0p+
qRNsZ7RwVIZV+CAISUfbK7rzmqqiC2DrsPJwcMalTOTO8Nt3SI/lPLR9kGAYzUHT
dAcbHjPou80tyVpKjEphPZzA6m7km5UEBZfAQJY+Q1vKxSohWW95ItAUsHKXMFYH
PyZZBpi0z5ELOLXqJqebojVlcWs4xm1UWUS9mnGkwGTJcHgOK2EHghlo6UZw/U5z
eAxsmz4qy9FVZQjJt9XZU1TRr9FWEjzr5rWt43sO9hAetuSYv0acQEhvtMvHspub
LwY9ChQhNcWIc3VSqT2rAIptLdWIPAEv5jNaKtvIWV4C4ec9FxoP41TrhiQp9fpc
wPDhRS94Yg5B2srp/bejkngLagoAF+nZFhg/2C5xz+hi4ph0q5C+etMuDPigBXKc
IBraLe1LI5wqX0+T2F7yDEncrAWoXHKNyGSSIPGHSsSTq03n8/kyHXXiVihOYou3
4/JJCcKFuDcudGhTDTUOl1n1yx3oS4cMmvJC4oYYJ9weftmAY313py6W9/fecGSg
W/zjUgp9Sq8urSG24ahjrYlQyzjE2PLIHnnOI1ephVb4MrsEsRg/YT0GPcgRwibX
xonydYqx9uIn5mS+UEQrsbJfGVar9I94BRH0wjICV6w=
-----END CERTIFICATE-----


8. Side note

Is it a OK for our application to let an Organisation Administrator to make use of the same private key / CSR, for generating both an Org Server Cert and an Org Client Cert?
(0005825)
Ted   
2019-08-23 18:42   
> 8. Side note
>
> Is it a OK for our application to let an Organisation Administrator to make use of the same private key / CSR,
> for generating both an Org Server Cert and an Org Client Cert?

IMHO it does not make much sense to use the same key for different types of certificates (client/server), but it should not pose a problem for CAcert. Though I did not do elaborate evaluations I don't see how this feature can be abused.

Of course it is extremly bad practice to use the same key for different certificates, regardless if they are of the same or of the different type.
The only (more or less) sensible use of a key in multiple certificates is when a certificate is renewed, when the certificate has the same relevant content (CN) and only differs in formal fields (expiration date and similar). I personally would advise against even this practice.
(0005826)
Ted   
2019-08-23 18:44   
This issue now needs to be reviewed. I'll do one review myself and hope Dirk will do the other one. Or is there any other Software Assessor out there?
(0005827)
Ted   
2019-08-23 18:52   
Reviewed commit ad77a681eda40a7a0331adffaf67bfb16986adac versus d328ebd6ad641a9caf4c80208a14d3b8f768edc0

The changes are very minimal, the review is PASSED


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1368 [Infrastructure] general feature always 2015-02-02 22:59 2020-06-27 12:22
Reporter: jandd Platform:  
Assigned To: jandd OS:  
Priority: normal OS Version:  
Status: solved? Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: setup new webmail system to replace old system
Description: the current webmail system is based on obsolete Debian Etch (4.0) and needs to be replaced:

Current Idea:
- new container with Debian Wheezy (or Jessie if available)
- setup of Roundcube
- setup of Community password reset (or a replacement)
- (optional) LDAP integration
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005893)
jandd   
2020-06-27 12:22   
new Webmail on Debian Buster has been setup


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1241 [Main CAcert Website] misc major always 2014-01-27 12:41 2020-06-27 12:18
Reporter: hanno Platform:  
Assigned To: jandd OS:  
Priority: high OS Version:  
Status: solved? Product Version:  
Product Build: Resolution: reopened  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: cacert.org SSL/TLS configuration is bad on many levels
Description: I just had a look how the cacert.org webpage performs in its SSL/TLS-Settings. See the Qualys SSL test:
https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org

It's very bad. Issues that should be adressed:
* It doesn't support TLS 1.1 and TLS 1.2. There have been various issues with older TLS versions due to the crappy way it combines CBC and MAC, so everyone these days recommends to support TLS 1.2 with GCM.
* It uses RC4 and MD5 as it's first cipher. RC4 should be avoided and MD5 has been extremely broken for a very very long time.
* It doesn't ship the class3 as a certificate chain, so people importing the cacert root in their browser will still not see the page cert as valid.
* Only very limited support for Perfect Forward Secrecy.
* DH key exchange with 1024 bit only.

I can give more details and explanations for each of those issues if needed.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files: CAcert-SSLLabsreport-20141018.pdf (111,978 bytes) 2014-10-18 10:50
http://bugs.cacert.org/file_download.php?file_id=385&type=bug
CAcert-SSLLabsreport-20141201.pdf (113,642 bytes) 2014-12-01 15:22
http://bugs.cacert.org/file_download.php?file_id=393&type=bug
Notes
(0004626)
NEOatNHNG   
2014-03-10 18:09   
Cipher suite configuration should probably changed to something like

# CAcert cipher suite configuration
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:+3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL


That doesn't solve the TLS 1.1/1.2 issue, that needs a system upgrade.

The class3 certificate is not needed in the chain because the certificate is directly signed by the root.

DH keys with more than 1024 bit are only available in Apache >=2.4.7. Otherwise we would need to patch it ourselves and I wouldn't go down that road right now. That's why in the above cipher spec ECDH is preferred over DH because there the EC key size offers more security than 1024 bit DH. Once Apache 2.4.7 is deployed we should probably switch those because of some uncertainties in EC.
(0004635)
NEOatNHNG   
2014-03-11 23:08   
New cipher suite configuration was deployed. More ciphers will be available after system update.
(0004885)
hanno   
2014-07-13 12:32   
I'm surprised that this has been closed as most issues I mentioned are not fixed at all.

Also, it seems currently the webpage is vulnerable to the CCS injection bug. (it is not THAT severe, because the known attacks only affect newer openssl-versions, but still Adam Langley pointed out that there are likely other attacks without that limitation).
(0004990)
sebix   
2014-09-07 14:10   
cats.cacert.org has an F-rating: https://www.ssllabs.com/ssltest/analyze.html?d=cats.cacert.org And uses an outdated OpenSSL-Version from prior to June 2014 (nearly 3 full months ago!), as it's affected by CVE-2014-0224. It includes ciphers like RC2, RC4, DES, DES40.
secure.cacert.org and ocsp.cacert.org only provide up to TLS1.0: https://www.ssllabs.com/ssltest/analyze.html?d=secure.cacert.org https://www.ssllabs.com/ssltest/analyze.html?d=ocsp.cacert.org
infrastructure.cacert.org uses a cert for monitor.cacert.org
finance.cacert.org uses a cert from board.cacert.org

For state-of-the-art crypto in TLS I recommend using 'Applied Crypto Hardening' by https://bettercrypto.org

CaCert is a showcase project on how crypto should be done and represents an important part of the Web of trust. On the other hand it uses vulnerable and weak crypto on some subdomains.
(0004991)
wytze   
2014-09-07 14:39   
Please note that this bug primarily concerns www.cacert.org and secure.cacert.org. For these services, we are waiting on the approval of a fairly trivial application bug fix, after which we can re-do the upgrade of the chroot OS environment to Debian Wheezy -- including *much* better openssl support, which will make a considerable rating difference. Still, even without that upgrade, the current SSL Labs rating of these services is "B" when we disregard the trust issue -- an issue, which can only be resolved by getting the CAcert root certificate included in major browser distributions.

For ocsp.cacert.org, SSL is fairly unimportant: we are receiving ZERO real OCSP requests over SSL (https). The https channel is only used by a few sites trying to establish the security of the site it seems (140 reqs in one full month ...). Still, the "B" rating (again disregarding the trust issue) is fairly decent. We can probably improve it by upgrading the OS to a more recent version.

cats.cacert.org is another category: this system is not managed by the critical system admin team. Please file a separate bug for this system, so the problem can be assigned to the appropriate sysadmin. At first look, it would seem that a simple reconfig of the Apache webserver there would make a major difference. You could also e-mail cats-admin@cacert.org directly.
(0004992)
sebix   
2014-09-07 15:24   
Thanks for the response and the explanations, so this issue currently blocked by 0001260.
For cats.cacert.org I filed a separate issue, referencing this one.
(0004993)
wytze   
2014-09-07 15:41   
This issue is specifically blocked by https://bugs.cacert.org/view.php?id=1301.
https://bugs.cacert.org/view.php?id=1260 has a much wider scope, we don't have to wait for a full fix of that one to address the current issue.
(0005056)
wytze   
2014-10-18 10:49   
By upgrading the CAcert chroot application environment to Debian Wheezy on October 17, 2014 (see https://lists.cacert.org/wws/arc/cacert-systemlog/2014-10/msg00007.html), the SSL support of the cacert.org main webserver has been brought up-to-date. While there is still scope for improvement (e.g. dropping SSLv3 protocol support, dropping 3DES cipher support), the issues raised in this bug entry appear to have been resolved. I will add a note with the current report from www.ssllabs.com for www.cacert.org.
(0005057)
wytze   
2014-10-18 10:52   
Check the attached file https://bugs.cacert.org/file_download.php?file_id=385&type=bug for the SSLLabs report for www.cacert.org on October 18, 2014.
(0005059)
hanno   
2014-10-19 15:24   
This issue has now been closed the second time without being fixed. It's getting ridiculous.

Unfixed and mentioned in the original report:
* DH key exchange with insecure length

Other issues:
* No ocsp stapling
* SSLv3 is enabled. If you haven't heard it: SSLv3 is insecure. Completely. This wasn't such a big issue when this bug was opened, but we know better now (POODLE attack 4 days ago)
(0005060)
wytze   
2014-10-19 16:04   
I did not close the issue, but only reported a significant fix, setting status to "solved?" (note the question mark). Another evaluation would have to take place before the issue could be closed. Evidently it cannot be closed yet.

As for the issues mentioned:
* DH key exchange with insecure length
- DH key length was indeed not addressed by the reported fix.
  Increasing the key length is desirable of course, but currently we are limited
  by the options of the deployed software: Debian Stable (Wheezy) with Apache2
  2.2.22. This will have to wait until Debian Jessy gets promoted to Stable.
* No OCSP stapling
- Not mentioned in the original issue. I agree that OCSP stapling is a nice
  feature to have, but again we are limited by Debian/Apache. OCSP stapling is
  supported from Apache 2.3.3 onwards I think, so again Debian Jessy will be
  fine.
* SSLv3 is enabled
- Yes, it is and will remain so for another while because we are visited by
  clients with MSIE 6.0, which we must support. But we are planning to phase
  them out. In the meantime, we can recommend everyone to use a contemporary
  browser to visit www.cacert.org; such browsers will support TLS_FALLBACK_SCSV,
  which we also support at the server side, so they are protected against
  unintended protocol downgrades.
(0005061)
wytze   
2014-10-20 13:22   
The SSLv3 issue has been split off in a separate issue:
   https://bugs.cacert.org/view.php?id=1303
(0005139)
wytze   
2014-12-01 15:22   
On December 1, 2014, support for SSL3 and 3DES has been disabled on the CAcert webserver, and HSTS has been enabled for additional security hardening.
Check for details https://lists.cacert.org/wws/arc/cacert-systemlog/2014-12/msg00000.html

Other options mentioned by the reporter of this issue:
- DH key length
- OCSP Stapling
are still waiting for the Debian project promoting Jessy to stable.
(0005140)
wytze   
2014-12-01 15:23   
Check the attached file https://bugs.cacert.org/file_download.php?file_id=393&type=bug for the SSLLabs report for www.cacert.org on December 1, 2014.
(0005171)
sebix   
2014-12-14 10:47   
If I haven't overseen something, this issue has been successfully solved for most sites.
However, lists.cacert.org still supports SSL3 (but all TLS versions up to 1.2) and anonymous ciphers, and the cipher preference could be better. See https://www.ssllabs.com/ssltest/analyze.html?d=lists.cacert.org for more details.
(0005174)
Mathias   
2014-12-14 13:36   
Hi!

To summarize things, I checked the situation on the following hosts that I know:

- blog.cacert.org: seems OK
- board.cacert.org: NOT OK, see 0001349
- bugs.cacert.org: seems OK
- cats.cacert.org: seems OK
- email.cacert.org: NOT OK, see 0001350 (HTTPS), 0001351 (SMTP via STARTTLS) - sorry for using the same subject (copy&paste error)
- git.cacert.org: seems OK
- irc.cacert.org: NOT OK, see 0001346
- issue.cacert.org: seems OK
- lists.cacert.org: NOT OK, see 0001347 (HTTPS), 0001352 (SMTP via STARTTLS)
- secure.cacert.org: seems OK
- svn.cacert.org: NOT OK, see 0001348
- translations.cacert.org: NOT OK, see 0001353
- wiki.cacert.org: seems OK
- www.cacert.org: seems OK

Are there any hosts missing?

I think it's too early for the "all clear" signal...

If there's a possibility to help in further examining *and* fixing these issues, please give me a hint.

Regards
Mathias
(0005749)
wytze   
2019-01-24 11:36   
Reassigning this to jandd because the only issue blocking closing this one is 0001350, which is assigned to jandd.
(0005889)
jandd   
2020-06-27 12:18   
issues with email certificates have been resolved


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1350 [Main CAcert Website] misc major always 2014-12-14 12:38 2020-06-27 12:17
Reporter: Mathias Platform:  
Assigned To: jandd OS:  
Priority: urgent OS Version:  
Status: solved? Product Version: 2014 Q4  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2014 Q4  
Reviewed by:
Test Instructions:
Summary: {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs
Description: Hi!

SSL/TLS issues on {community,email}.cacert.org (roundcube via HTTPS):
- anonymous cipher suites enabled
- SSLv3 enabled (POODLE attack)
- no TLS v1.1
- no TLS v1.2
- TLS compression enabled (CRIME attack)
- no secure renegotiation (RFC 5746)
- no forward secrecy with reference browser provided

For short: very extremely bad :-(

Please see
https://lists.cacert.org/wws/arc/cacert-sysadm/2014-12/msg00000.html

Thanks for looking into this issue.

Mathias
Tags:
Steps To Reproduce:
Additional Information:
Attached Files: SSL_Labs-email.cacert.org-grade_F-20141214.pdf (169,102 bytes) 2014-12-14 12:38
http://bugs.cacert.org/file_download.php?file_id=398&type=bug
SSL_Labs-email.cacert.org-grade_B-20150125.pdf (100,750 bytes) 2015-01-25 17:42
http://bugs.cacert.org/file_download.php?file_id=405&type=bug
Notes
(0005209)
jandd   
2014-12-27 11:52   
did the best to improve the configuration but the possibilities are very limited because the community webmail system is still on Apache 2.2.3/Debian Etch and does not support modern TLS versions or cipher suites.

At least we get a grade B at ssllabs now.
(0005268)
Mathias   
2015-01-25 17:53   
Debian 4.0 Etch had received official support until 15 Feb 2010 - which is nearly five years ago! Hm, if this system isn't actually used/maintained by anybody, there might be someone to press the "big red button" for it...
(0005269)
Mathias   
2015-01-25 18:10   
I just saw on https://wiki.cacert.org/SystemAdministration/Systems/Email that pressing the "red button" is not a good idea.

From a today's point of view the SSL/TLS configuration is still not satisfying. But the main cause and source of problems (also the ones of this bug) is the VERY OLD system. So, I leave this bug open with stomach pains :-)

However, thanks, Jan, for digging so deep in this issue.
(0005888)
jandd   
2020-06-27 12:17   
email, webmail and community get a grade A (ignoring trust issues) now. https has been tested with the ssllabs test, smtp and imap have been tested using https://github.com/drwetter/testssl.sh


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1162 [Main CAcert Website] source code tweak have not tried 2013-04-17 08:15 2020-05-22 11:33
Reporter: Uli60 Platform:  
Assigned To: INOPIAE OS:  
Priority: high OS Version:  
Status: fix available Product Version: 2013 Q2  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: calcutate (the passwords) hash in php instead of in mysql -> \\
Description: subtitle: Increase in password problems after production environment upgrade (2013-04-03)

Support and Critical team received reports via several channels (email, irc) that people with special chars in their passwords had problems in logging on, recovering their passwords

Question to critical team about current state of "magic quotes" setting after migration is all OFF
magic quotes setting before migration was ON

The "magic quotes" feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0

The support of "magic quotes" probably also relates to other then passwords storage functions in the webdb code
I'll remember about a problem we had back in 2009 with multipled backslashes in comments fields. PG did some magical on the production system and fixed this problem (this was, before software assessment team started working)

global task: mimicry the "magic quotes" function in all php code in transfer data to and from mysql database
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0003905)
INOPIAE   
2013-04-22 20:35   
some hints taken from ticket s20130415.71
38 charcters
upper and lower case, numbers and these special characters <>:+-?@$&\#
did not work

25 charcters
upper and lower case, numbers and these special characters :$/{[),
did work
(0003908)
INOPIAE   
2013-04-23 20:17   
some hints from the next ticket s20130422.77
@ seems to make problems
(0003913)
INOPIAE   
2013-04-23 20:56   
pushed the fix with the exchange from mysql_escape_string to mysql_real_escape_string
https://github.com/INOPIAE/CAcert/commit/f0318d79dbc69e444fee4c085cdb3ee152318e1c
(0004047)
BenBE   
2013-06-11 21:10   
On Testserver
(0004375)
Eva   
2013-10-08 22:13   
(Last edited: 2013-10-08 22:14)
Changed Password to
a1<>:+-?@$&\#
and to
""1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/
and to
যেমন কিছু我的名字是 اسمي如東西таких как нечто
(bengal, easy chineese, space, arabic, classic chineese, russian)

Both were accepted and did not produce problems at the login afterwards.

Then I set the password as Admin again to
1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/

I could login without problems afterwards.

[However when I tried to reset my password to something quite easy I got an error because it was too short, but neither in the error message nor in the interface for resetting passwords I was informed how long a password has to be. (As SE I could set such a short PW.)]

=> ok

(0004399)
JensK   
2013-10-20 13:44   
(Last edited: 2013-10-20 13:46)
1. Changed password (as user) to:
a1<>:+-?@$&\#
""1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/
যেমন কিছু我的名字是 اسمي如東西таких как нечто
GP10xwzI5i

Login worked in all cases => OK

2. Set another user's password (as admin) to the same passwords as above

Login worked in all cases => OK

(0004456)
NEOatNHNG   
2013-11-19 15:19   
The proposed fix only replaces mysql_escape_string() by mysql_real_escape_string(). It does nothing to calculate the password hash in PHP instead of MySQL

=> Rejected
(0005491)
GuKKDevel   
2015-12-11 10:08   
(Last edited: 2015-12-11 14:58)
Tried to solve the problem with:

https://github.com/CAcertOrg/cacert-devel/commit/2cb06760223218ca4b2a0482225d6fbfa77a63bb

and

https://github.com/CAcertOrg/cacert-devel/commit/a7eaa6d8e14ba7152e3ed3d200b30ad1eed68610

But didn't test, because I don't have a Testsystem so far.



View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
610 [CATS.cacert.org] User Interface feature always 2008-09-13 04:24 2020-05-22 11:33
Reporter: jandd Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: use utf-8 as encoding
Description: Use utf-8 as encoding for all user visible strings to open the possibility to translate to non latin languages.
Tags:
Steps To Reproduce:
Additional Information: Having unix style NL-only line endings would be nice too (saves space and the production system is using Linux anyway).
Attached Files:
Notes
(0001208)
bigon   
2008-09-24 08:31   
Yeah using utf8 everywhere would be nice. Translingo is using utf8 as encoding that could cause some issues when saving strings with non-ascii chars
(0001210)
jandd   
2008-09-25 19:56   
Using UTF-8 could cause trouble with legacy data in the database. So implementing it in the front end code is not enough. A database conversion script must be implemented too. Maybe a dump and restore with a recode in between will work ... needs testing though.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
755 [CATS.cacert.org] Content (Questions and Answers) major always 2009-07-13 20:23 2020-05-22 11:33
Reporter: duff Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: 'back'-button shows solution of test
Description: After failing the cats once and trying it again, you can view the results of the new test when you use the back button of your browser to get back to the results page of the previous test. instead of showing the old results, the page content is updated with the new questions.

steps to reproduce: start new test, answer all questions (ie randomly) and evaluate. then start a new test and use the back button (open it in a new tab) of the browser to view the results.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files: cat-cacert_bug.png (36,856 bytes) 2012-12-31 01:46
http://bugs.cacert.org/file_download.php?file_id=308&type=bug
Notes
(0001462)
octo   
2009-07-26 14:32   
When pressing the “Back” button to get back to the results page, I was asked if I wanted to re-send the POST data. I accepted without thinking much and got presented a results page with 100% correct answers. The system (the main page, too) now shows two tries, the second of which with perfect scores.

I didn't try to reproduce for obvious reasons, but I think the required steps to be:
* Take test, submit
* Wait for results page
* Follow an arbitrary link
* Press “Back” button
* Accept to re-send POST data

(Sorry should the formatting screw up, there is no preview option..)
(0001910)
Uli60   
2011-04-06 09:09   
(Last edited: 2011-04-06 09:10)
jcurl from 0000919
While I passed my first test with 88%, I was trying to figure out if there was a way to print the results (the comments given, even if correct) are useful (so I further clicked on some other pages). To get back to the results page, I jumped back some pages (sorry, I don't recall to what exact URL).
 
What happened, the page was empty (i.e. no questions) and told me I had reached 100%.

This is now recorded as having done the tests twice, whereby I've only done it once. Results confirmed by logging into secure.cacert.org and also cats.cacert.org, whereby I see the system believes I really did two tests.

(0002681)
baarn   
2011-11-08 19:43   
confirming this.
did the test once and failed, did it again and succeded. the other three results are from browsing backwards and forward in the browser. as you can see one test "failed" horribly, but the other two suceeded with 100%

#-- first two are actual tests
pos date number of questions correct
1 2011-11-08 19:08:01 25 72 %
2 2011-11-08 19:28:34 25 92 %
#-- below here are fake tests
3 2011-11-08 19:29:30 25 100 %
4 2011-11-08 19:29:50 25 32 %
5 2011-11-08 19:29:57 25 100 %
(0003583)
AlainV   
2012-12-31 01:54   
(Last edited: 2012-12-31 01:56)
Confirming how to become an insurer in only 2mn 39":
please see attachement: cat-cacert_bug.png [^] (36,856 bytes) 2012-12-31 01:46
Test 100% granted: only clic back, back, back, back... just after completed a previous test.



View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
611 [CATS.cacert.org] User Interface feature always 2008-09-13 04:28 2020-05-22 11:32
Reporter: jandd Platform:  
Assigned To: OS:  
Priority: low OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: use gettext for translations
Description: instead of using dozens of constants in lang/*.php it would be a good idea to use the proven GNU gettext interface for translation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0001164)
jandd   
2008-09-13 04:32   
This would require work for


     
  • putting marked text snippets into the existing php code

  •  
  • automatic extraction of .pot files (i.e. via make + xgettext)

  •  
  • merge of semi-complete .po files (i.e via make + msgmerge)

  •  
  • compilation of .mo files from .po files

  •  
  • proper initialization of the gettext system at runtime

(0005520)
jandd   
2016-05-03 18:23   
created cats project in pootle http://translations.cacert.org/projects/cats/


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1431 [Main CAcert Website] GPG/PGP crash always 2018-02-19 09:10 2020-05-22 11:32
Reporter: wytze Platform: Main CAcert Website  
Assigned To: GuKKDevel OS: N/A  
Priority: urgent OS Version: stable  
Status: needs review & testing Product Version: 2017 Q4  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2017 Q4  
Reviewed by:
Test Instructions:
Summary: GPG/PGP signing request is not properly checked for images
Description: A GPG/PGP signing request submitted to CAcert should not contain an image (as stated on the submission page). However, the code which validates and massages the signing request, does not properly check for this. As a result, it is possible to (accidentally or deliberately) create a very large signing request, by including a large image. Such requests will cause the communication between the web frontend and the signer machine to fail, and *all* certificate signing is blocked from that moment on.
Tags: GPG
Steps To Reproduce: I have not attempted to reproduce the problem, but there is historic evidence present on the production servers. Look for gpg requests 23644, 23645 or 23656 (they are identical). The first one caused a blockade of all CAcert signing from Fridat 16.02.2018 23:01 until Sunday 18.02.2018 16:00, when the problem was recognised and "remedied" by moving the signing request to the side. This particular signing request contained an image of 955207 bytes.
Additional Information: Due to the nature of this problem, any CAcert user with sufficient points to submit a GPG signing request, is able to block all signing operations. Therefore this bug will be set to private until a solution can be implemented.

In my view there are two problems to be solved here:
1. GPG signing requests with images should be rejected or filtered (probably not very difficult).
2. The communcation process between web frontend and signer should be resistent against huge requests: either handle them correctly, or reject them beforehand (probably difficult).
If issue #1 is solved, the priority for solving issue 0000002 can be lowered.
System Description Production version of the CAcert website
Attached Files:
Notes
(0005577)
GuKKDevel   
2018-03-05 14:32   
https://github.com/CAcertOrg/cacert-devel/pull/4/commits/67062a789285c7096e976a7ae7543a569bfc8678


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1441 [test.cacert.org] test.cacert.org block always 2018-06-19 11:28 2020-05-22 11:32
Reporter: GuKKDevel Platform: Test CAcert Website  
Assigned To: wytze OS: N/A  
Priority: immediate OS Version: Test  
Status: solved? Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: umlauts are not stored/displayed correctly in Testsystem
Description: Enter a name with an umlaut into https://test.cacert.org/index.php?id=1.

after verifying with test-mgr login and view accounts data.

umlaut is dissappeared and some other chars are shown.

therefore if transferred to original, no CAP-verification is possible, gpg-signing is not possible.
Tags: browser, certificates, diacritic, legal name, names, organization name, PGP, server certificates
Steps To Reproduce: Enter a name with an umlaut into https://test.cacert.org/index.php?id=1.

after verifying with test-mgr login and view accounts data.

umlaut is dissappeared and some other chars are shown.
Additional Information:
System Description Test version of the CAcert website
Attached Files:
Notes
(0005601)
egal   
2018-06-19 18:32   
moved issue to project "test.cacert.org" as it not infrastructure-related
(0005602)
egal   
2018-06-19 19:29   
This issue happens in productive system, too:

Created a user with umlauts to my own domain, did NOT click on the confirmation link, but checked this user via support console: Umlauts are "broken".
(0005606)
wytze   
2018-06-22 13:04   
A bug was found in the PHP5 configuration of the CAcert webdb server as
described in https://bugs.cacert.org/view.php?id=1441: "umlauts are not
stored/displayed correctly". This bug actually affects all handling of
non-latin characters by the CAcert application code, and was introduced
by the upgrade of the CAcert chroot application environment from Debian
Wheezy to Debian Jessie on April 16, 2018.

Starting with PHP 5.6, PHP's default character set is set to UTF-8.
This is not what the current CAcert application code expects, so we
need to overrule it with the earlier default "iso-8859-1".
Note that Debian Wheezy contained PHP 5.4.45, while Debian Jessie
contains PHP 5.6.33.

Affected files:
   /home/cacert/etc/php5/mods-available/cacert.ini
   /etc/php5/mods-available/cacert.ini
   /root/chroot/mkchrootenv (also in SVN)

The same changes have been applied to the test.cacert.org and test2.cacert.org
test servers.

Note that new accounts created between April 16, 2018 and June 22, 2018,
may have been affected by this issue. This will be reported as an incident
to support@cacert.org for arbitration and possible further investigation.

See also https://lists.cacert.org/wws/arc/cacert-systemlog/2018-06/msg00002.html


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1443 [Infrastructure] documentation feature N/A 2018-10-26 20:59 2020-05-22 11:32
Reporter: jandd Platform: Default  
Assigned To: jandd OS: any  
Priority: normal OS Version: any  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: write a specification of what the current code in https://git.cacert.org/gitweb/?p=cacert.git does
Description: There is no proper documentation of the existing code base. This documentation is needed to:

- write a proper specification for a potential rewrite
- implement unit tests
- understand the code base which is especially important for anybody wanting to help
Tags:
Steps To Reproduce:
Additional Information: Documentation should be in a version controlled repository. Human readable (HTML) exports should be generated and published automatically. (See infradocs.cacert.org/jenkins.cacert.org for an example how to do this).
System Description Default profile.
Attached Files:
Notes
(0005616)
jandd   
2018-10-26 22:30   
I started a new repository at https://git.cacert.org/gitweb/?p=cacert-codedocs.git and setup a Jenkins job https://jenkins.cacert.org/job/cacert-codedocs/ that is triggered by pushes to the master branch of that repository. Pushes to this repository via git+ssh protocol are allowed to members of the git-doc group on git.cacert.org.
(0005617)
jandd   
2018-10-26 23:53   
I setup codedocs.cacert.org publishing on Jenkins and Apache VirtualHost configuration on web.cacert.org and webstatic.cacert.org. https://infradocs.cacert.org/ has been updated. I requested a DNS CNAME for codedocs.cacert.org to make the generated documentation available at https://codedocs.cacert.org/ I'll update the Jenkins job description when the CNAME has been setup.
(0005620)
jandd   
2018-10-29 21:27   
The code documentation repository is now mirrored to https://github.com/CAcertOrg/cacert-codedocs to encourage contributions.
(0005646)
GuKKDevel   
2018-11-03 14:09   
I'll try to get the whole www-directory documented.
(0005652)
GuKKDevel   
2018-11-04 13:13   
Is there a way to build a cross-reference-list?
So one can see which file uses which file and is used by which file?
(0005653)
jandd   
2018-11-04 18:24   
It is possible to use the .. index: macros for cross references but I think it would be better to have something more code centric. I'll see if I find some free time to implement something like the IP address list, ssh key list or certificate list build for infradocs.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1438 [Main CAcert Website] certificate issuing minor always 2018-04-17 15:24 2020-05-22 11:32
Reporter: wytze Platform: Default  
Assigned To: GuKKDevel OS: any  
Priority: normal OS Version: any  
Status: needs review & testing Product Version: 2017 Q4  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2017 Q4  
Reviewed by:
Test Instructions: See Steps To Reproduce
Summary: CRLs published by CAcert do not contain the field "CRL number"
Description: EBS EDI-Support <EDI-Support@eon.com> reported on April 16, 2018:

the CRL which you are publishing at URL "http://crl.cacert.org/revoke.crl" is missing the field "CRL number".
Therefore some applications might not validate the CRL correctly. Please add this field to the CRL. Thank you.
Tags: certificates
Steps To Reproduce: $ wget http://crl.cacert.org/revoke.crl
$ openssl crl -in revoke.crl -inform der -noout -text -crlnumber | head

Something like this will appear:
crlNumber=<NONE>
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Last Update: Apr 17 14:28:54 2018 GMT
        Next Update: Apr 24 14:28:54 2018 GMT
Revoked Certificates:
    Serial Number: 11
        Revocation Date: Apr 1 14:25:08 2003 GMT

The crlNumber=<NONE> shows the problem.
Additional Information: According to RFC 5280 (May 2008), section 5.2:
   Conforming CRL issuers are REQUIRED to include the authority key
   identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
   extensions in all CRLs issued.

The same requirement was already present in the predecessor of this RFC, namely RFC 3280 from April 2002, so it is somewhat surprising that this was never implemented in the CAcert signer.

This can be fixed by adding the crlnumber field to the openssl profile used on the CAcert signer for generating CRLs. The openssl software used for this is capable of maintaining a serial number per CRL in a separate text file, see the documentation for 'openssl ca'.
System Description Default profile.
Attached Files: diff-openssl (588 bytes) 2018-05-29 10:02
http://bugs.cacert.org/file_download.php?file_id=423&type=bug
diff-class3 (586 bytes) 2018-05-29 10:02
http://bugs.cacert.org/file_download.php?file_id=424&type=bug
revoke.crl (332,445 bytes) 2018-06-06 09:29
http://bugs.cacert.org/file_download.php?file_id=425&type=bug
class3-revoke.crl (331,946 bytes) 2018-06-06 09:29
http://bugs.cacert.org/file_download.php?file_id=426&type=bug
testresult (958 bytes) 2018-06-06 10:51
http://bugs.cacert.org/file_download.php?file_id=427&type=bug
revoke-2.crl (332,445 bytes) 2018-06-07 21:03
http://bugs.cacert.org/file_download.php?file_id=428&type=bug
class3-revoke-2.crl (331,946 bytes) 2018-06-07 21:03
http://bugs.cacert.org/file_download.php?file_id=429&type=bug
testresult-2 (1,820 bytes) 2018-06-07 21:14
http://bugs.cacert.org/file_download.php?file_id=430&type=bug
diff-crlnumber-CA (132 bytes) 2018-06-13 22:10
http://bugs.cacert.org/file_download.php?file_id=431&type=bug
diff-crlnumber-class3 (132 bytes) 2018-06-13 22:10
http://bugs.cacert.org/file_download.php?file_id=432&type=bug
diff_Old_New (3,820 bytes) 2018-11-10 12:40
http://bugs.cacert.org/file_download.php?file_id=447&type=bug
diff_Old-Prod_Old-Test (2,686 bytes) 2018-11-10 12:40
http://bugs.cacert.org/file_download.php?file_id=448&type=bug
diff_New-Prod_New-Test (2,894 bytes) 2018-11-10 12:40
http://bugs.cacert.org/file_download.php?file_id=449&type=bug
Notes
(0005584)
wytze   
2018-04-17 15:36   
This can be tested with the signer installed on test.cacert.org.
(0005591)
GuKKDevel   
2018-05-29 09:57   
as the revoke-request only uses one configfile for each rootcert for creating the CRL, only those two have to be changed.
 
(0005592)
GuKKDevel   
2018-05-29 10:02   
Also must in each cert-directory (/etc/ssl/CA and /etc/ssl/class3) a file named crlnumber be created including a four digit number (echo 1000 > crlnumber)
(0005593)
egal   
2018-06-06 09:29   
Expected test is not possible as test.cacert.org will redirect the CRL-download to Live-System.

Test is only possible by accessing the test-server directly to get the CRLs for our test-environment.

As this is not possible for testers, I added the created CRLs for today (2018-06-06) to this bug, so a tester may check the existence of the missing CRLNumber.

In the next days I'll add another CRL-set so a tester can run its tests.
(0005596)
GuKKDevel   
2018-06-06 10:51   
tested: revoke.crl -> crlNumber=1249 (hex) -> X509v3 CRL Number: 4681 (dec)
tested: class3-revoke.crl -> crlNumber=010008 (hex) -> X509v3 CRL Number: 65544 (dec)

looks ok to me
(0005598)
egal   
2018-06-07 21:03   
Second set of CRLs as of today (2018-06-07).
(0005599)
GuKKDevel   
2018-06-07 21:14   
works for this CRL's also
(0005600)
Ted   
2018-06-13 20:44   
I just did some review of the proposed changes.

The modification of the config files is ok, according to OpenSSL documentation, as well as according to tests I did in another environment.

But for installation, a file containing the initial CRL number (probably 01 or 0100 or something similar) must be installed together with the change in the config file, otherwise the config option is ignored.

==> The diffs should include the "crlnumber" file with a convenient initial number

==> The current review status from me is FAILED
(0005655)
Ted   
2018-11-05 21:53   
I modified the openssl config files for all client certificates, so the testserver is CRL Distribution Point.

Sadly, for server certificates the CRL Distribution Point is hardcoded in server.pl, and I don't wand to change that without urgent need.
(0005661)
GuKKDevel   
2018-11-10 12:40   
As stated in https://bugs.cacert.org/view.php?id=1438#c5591 while revoking only two of the configurationfiles are used (openssl-client.cnf and class3-client.cnf).
Therefor for this issue only those two were to change. Also the necessary file crlnumber in the responding subdirectorys were to add.

attached diff: diff_Old-New

control if production and test are congruent:
diff_Old-Prod_Old-Test and diff_New-Prod_New-Test
(0005664)
Ted   
2018-11-12 19:43   
Hmm, the code in server.pl does not restrict revocations on those two specific configurations, but client.pl does only request those two.

I'm tending towards making all configurations fit to be used for revocation, just to be on the safe side, but I'm not really decided yet...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1445 [Main CAcert Website] General minor always 2018-11-04 04:41 2020-05-22 11:32
Reporter: pmoulding@cacert.org Platform: Test CAcert Website  
Assigned To: OS: N/A  
Priority: normal OS Version: Test  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: The code has cacert.org hardcoded. Replace with settings file.
Description: There are 2846 instances of cacert.org in the code. Some are comments and some are constants that should be moved to a configuration file.
Some are straight text and should be something like the following in a .ini file.
domain_name = cacert.org
Some are capitalised and should be something like the following in a .ini file.
domain_name_display = CAScert.org
Some are email addresses and could be something like the following in a .ini file.
lists_email_address = cacert-tverify@lists{domain_name}

In the config file, domain name would be first then substituted into the following settings.
Tags:
Steps To Reproduce: Perform a global scan for cacert.org. You will see lines like the following.
$body .= "CAcert.org user\n\n";
Additional Information: This could be added to some common code used for other things including an autoloader. I would not hold up the mysql or other issues for this change.
System Description Test version of the CAcert website
Attached Files:
Notes
(0005651)
jandd   
2018-11-04 09:08   
this is not an infrastructure (system administration) issue. It does not belong into this bug tracker project but into the main website project.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1442 [Main CAcert Website] misc minor N/A 2018-10-20 20:57 2020-05-22 11:31
Reporter: Ted Platform: Default  
Assigned To: GuKKDevel OS: any  
Priority: high OS Version: any  
Status: needs review & testing Product Version:  
Product Build: Resolution: duplicate  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Rewrite code to use ext/mysqli API (or PDO_MySQL) instead of ext/mysql
Description: As reported by Wytze in https://wiki.cacert.org/AGM/TeamReports/2018 :

[...] An upgrade to Debian Stable is not possible with the current PHP code base, due to its dependency on an obsolete mySQL database interface layer, which is not supported anymore in the PHP version bundled with Debian Stretch, the current Debian Stable.

Without the ability to upgrade the application platform to a well-maintained version of Debian, the Critical System Administrator Team will be unable to take responsibility in the near future for the safe and correct operation of CAcert's main server, the web application and database server.
Tags:
Steps To Reproduce:
Additional Information: Currently ext/mysql is used. A look at https://secure.php.net/manual/en/mysqlinfo.api.choosing.php seems to imply that ext/mysqli is more closely related to ext/mysql than the alternative PDO_MySQL.

If you think that migrating to PDO_MySQL is less work, you're welcome to do it, I've no strong feelings about this.
System Description Default profile.
Attached Files: origin_release (88,558 bytes) 2018-10-26 17:56
http://bugs.cacert.org/file_download.php?file_id=433&type=bug
origin_bug-1260 (71,163 bytes) 2018-10-26 17:56
http://bugs.cacert.org/file_download.php?file_id=434&type=bug
diff-release-bug1442 (361,098 bytes) 2018-10-30 22:19
http://bugs.cacert.org/file_download.php?file_id=435&type=bug
diff-bug-1442-newTarballs (9,392 bytes) 2018-10-31 06:09
http://bugs.cacert.org/file_download.php?file_id=436&type=bug
Notes
(0005615)
GuKKDevel   
2018-10-26 17:56   
I did a text-check for "mysql_" on the CAcert-devel-directory with release checked out and a text-check for "mysqli_" with bug-1260 checked out.
(0005618)
Ted   
2018-10-28 21:41   
We re-open this and use this case to handle only the mysql migration part of 0001260
(0005624)
GuKKDevel   
2018-10-30 22:19   
I did some coding. all mysql_-statements replaced by the according mysqli_-statements.
(0005626)
GuKKDevel   
2018-10-31 06:09   
adding files from new tarballs
(0005685)
Ted   
2018-11-18 14:45   
GuKK, I noticed two typos:
- includes/notary.inc.php line 1202: mmysqli_query should probably start with only one "m"
- scripts/58at-ate-wien-mail.php.txt line 117: dto.
(0005689)
Ted   
2018-11-26 22:48   
bug-1442 is merged into branch the integration branch (resulting in branch test-1442) for testing. Currently test-1442 is installed on both, old and new, testservers (https://test.cacert.org/ and https://test3.cacert.org:14943/)

Note that test3 is not yet completely installed, so it's more for playing around. Test reports from test.cacert.org are welcome!


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1444 [Main CAcert Website] source code major always 2018-10-29 20:18 2020-05-22 11:31
Reporter: bdmc Platform: Default  
Assigned To: bdmc OS: any  
Priority: normal OS Version: any  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2017 Q4  
Reviewed by:
Test Instructions:
Summary: Update PHP <? tags appropriately
Description: Go through source code and
1. change <?= to <? echo
2. change <? to <?php
3. change each() to foreach()

Tags:
Steps To Reproduce:
Additional Information: Part of bug-1260
System Description Default profile.
Attached Files:
Notes
(0005621)
bdmc   
2018-10-30 04:59   
(Last edited: 2018-11-02 18:05)
mysql.php seems to be missing from source code for bug-1260. ( should be in includes/mysql.php )
After discussion, I found that this file is "hand-created" on the appropriate server when the code is deployed.

All other required files appear to be present, but they may not be found in a test system because references to them are absolute paths.

(0005622)
bdmc   
2018-10-30 05:00   
There are hard-coded references to "http://cacert.org," which can probably cause trouble in development and test systems.
(0005641)
bdmc   
2018-11-02 18:07   
This code is now available for testing.
(0005642)
bdmc   
2018-11-02 18:09   
I found several thousand ( 2500 - 3000 ) instances of required tag changes. Only one instance of each() in the source code that was derived from "release."
(0005643)
bdmc   
2018-11-02 18:10   
The ending "?>" tag, at the bottom of PHP source files can be removed.
(0005644)
GuKKDevel   
2018-11-02 18:16   
I think you shuldn't remove the "?>"tag at the bottom of te PHP source files.

This could cause to assume, some sourcecode could be missing.
(0005645)
bdmc   
2018-11-02 18:23   
Current "best practice" is to omit that tag, because it prevents anything being put into the HTML that is not intended ( extra new lines, extra spaces, etc. ).

On the other hand, I just noted it as something to consider. I did not make this change.
(0005696)
Ted   
2018-12-03 20:53   
Brian, when trying to merge your changes into the test branch I ran into troubles with the "require_once( "general.php" );" in www/index.php which I still do not understand.

First of all, the path does not look right when compared to the other require_once statements, but even with the path a "not found" error is reported.

Why did you add this line? Other files seem to include require_once("../includes/lib/general.php") or require_once("../includes/mysql.php"), general.php from include seems only to be used by files which are currently not active in the web page...
(0005697)
bdmc   
2018-12-03 21:36   
I'm sorry, Ted. That was added for testing, and I forgot to remove it afterwards. Done now. general.php is in includes and includes/lib.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1449 [Main CAcert Website] source code feature always 2018-11-11 19:02 2020-05-22 11:31
Reporter: bdmc Platform:  
Assigned To: bdmc OS:  
Priority: high OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Move configuration from code to external file
Description: Extract items that control operation of CAcert web site from source code into a file external to the web site.

As Peter M. suggested, I am creating a file to contain a set of PHP define statements. These defines will allow changes to the operation of the web site.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005667)
bdmc   
2018-11-14 03:40   
Here is a crude implementation of a configuration file. It should be named "config.php" and placed in the directory above "www" in the CAcert web site source tree.

<?php
/*
    LibreSSL - CAcert web application
    Copyright (C) 2004-2018 CAcert Inc.

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; version 2 of the License.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/

define("PROD_STATE", "prod");

define['MCONN_HOST', "127.0.0.1");
define['MCONN_USER', "username");
define['MCONN_PASS', "password");

define('NORMALHOSTNAME', "www.cacert.org" );
define('SECUREHOSTNAME', "secure.cacert.org" );
define('TVERIFY', "tverify.cacert.org" );

define('TEST_EMAIL_TO', "brianmccullough@cacert.org");
(0005668)
GuKKDevel   
2018-11-14 14:02   
I don't think, this bug blocks bug 1260
(0005672)
bdmc   
2018-11-14 17:59   
I'm sorry. I don't understand. This bug is a child of bug 1260, and is intended to contribute to its correction.
(0005676)
Ted   
2018-11-15 20:39   
I agree GuKK that this issue is a nice-to have.
It is not needed for the migration to the new PHP version, in fact, it is quite independent from it.

Seperating code from configuration information is preferred from a theoretical (or call it "aestethic") point of view, but the code as it is now will not pose any problems on PHP 7, or am I overlooking something?

IMHO your proposal also does not really improve the situation, since it is still implemented as a PHP file, which may be looked on as "code". If I understood Jan correctly, he'd prefer to have a plain text file to hold configuration information, like an *.INI file used on windows. And this is how I also think about this topic.

So I'd propose to remove the dependency on 0001260, and maybe lower the priority of this issue.
(0005679)
bdmc   
2018-11-15 23:58   
The solution shown here was intended as an interim change that was only part way toward the "correct" solution. It is expected to be replaced with an INI-file solution, but is a way to begin to remove sensitive information from the regular source tree. The config.php file was not expected to be added to the source code stored in the repository.
(0005722)
bdmc   
2019-01-02 06:16   
I have created a VM for myself to allow me to test code, in particular this, and have made progress with a proper Config class. More news to come.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1450 [Main CAcert Website] source code tweak always 2018-11-11 19:12 2020-05-22 11:31
Reporter: bdmc Platform:  
Assigned To: OS:  
Priority: low OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Modify sendmail function in CAcert to include test functionality
Description: Ensure that the source code for the web site uses only a mail function that is contained within the web site source code.

This mail function will use configuration variables to control whether it is in Test or Production mode, as well as other options.
Tags:
Steps To Reproduce:
Additional Information: This change requires the Configuration File change described in Bug 1449.
Attached Files:
Notes
(0005662)
bdmc   
2018-11-11 20:21   
(Last edited: 2018-11-14 03:43)
At present, the only modification to the sendmail() function is to test for a Production State being either Production or Test. If it is Test, then the destination e-mail address is modified to a pre-determined ( configuration variable ) value.

That modification removes the existing To address from the sendmail() call, and replaces it with an address found in the configuration file.

(0005669)
GuKKDevel   
2018-11-14 14:09   
did you look up if/where on the test server is a mechanism to reroute emails to test-mgr?

for testing purpose it is not useful to send all mails to a predefined email-address, because in this case only one person can test at a time. or if sending to a list, all members of that list would get the messages too.
(0005670)
jandd   
2018-11-14 15:09   
test.cacert.org has a postfix configuration that intercepts all outgoing mails and stores them in a single mailbox that is made available to testmgr via dovecot/IMAP.
(0005671)
bdmc   
2018-11-14 17:56   
I am informed that the Test Server has special e-mail configuration that can override this change, so am cancelling it.
(0005674)
Ted   
2018-11-15 20:09   
I agree that this issue is not relevant for bug-1260, and not important for any other issue I'm aware of. There are lots of more important issues open for the "core" developers.

But it may be a nice warmup excercise for a new developer to provide some possible variants of the sendmail function, so people who want to install their own testserver have some options if they don't want (or are not able to) configure their mailer as it currently is on the testserver.

So, maybe we keep this issue open with a low priority, just in case someone new is looking for a job?


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1432 [Main CAcert Website] source code feature have not tried 2018-03-11 11:19 2020-05-22 11:31
Reporter: GuKKDevel Platform:  
Assigned To: GuKKDevel OS:  
Priority: normal OS Version:  
Status: needs feedback Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: since september, 8th, 2017 CAs must check DNS' CAA records
Description: Dear Board,

since september, 8th, 2017 CAs must check DNS' CAA records. This decision was taken in spring 2017 by CA/Browser forum which CAcert is member of.

I can't see that this is already implemented in CAcert's signing software, therefore I would like to ask you to take care of.

.....
BR, Alex.
Tags: browser, certificates, domain, server certificates
Steps To Reproduce:
Additional Information: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

German:
https://www.golem.de/news/tls-zertifikate-zertifizierungsstellen-muessen-caa-records-pruefen-1709-129981.html
Attached Files:
Notes
(0005579)
GuKKDevel   
2018-03-19 13:42   
Solution wont work on WINDOWS Server as
Parameter DNS_CAA is not defined at any Windows Server (date 2018-03-18) needed for PHP-function 'dns_get_record'
 * https://bugs.php.net/bug.php?id=75909
(0005580)
GuKKDevel   
2018-04-05 14:01   
Mail from Benedict to Etienne:
<snip>
CAcert cannot be recorded as a full CA at the CABF, since it is not
according to WebTrust or ETSI 319 411. The CABF activities therefore only
affect CAcert if they will voluntarily submit to it. Working at CABF is
currently neither useful nor advisable due to the number of resources
available in CAcert.
<snip>
(0005633)
GuKKDevel   
2018-11-01 12:12   
mail-correspondence:
https://lists.cacert.org/wws/arc/cacert-policy/2018-03/msg00000.html
https://lists.cacert.org/wws/arc/cacert-policy/2018-03/msg00001.html
https://lists.cacert.org/wws/arc/cacert-policy/2018-03/msg00002.html


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1306 [Main CAcert Website] certificate issuing major always 2014-09-15 14:25 2020-05-22 11:30
Reporter: wytze Platform:  
Assigned To: GuKKDevel OS:  
Priority: normal OS Version:  
Status: fix available Product Version: 2014 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: expired certificates should not be listed in the CAcert CRLs
Description: The size of the current CAcert Class1 CRL (http://crl.cacert.org/revoke.crl) is 6.5 megabyte. Even the CAcert Class3 CRL (http://crl.cacert.org/class3-revoke.crl) is already 0.75 megabyte. This is causing an unacceptable huge amount of CRL download traffic (currently over 130 GB *per day*). In addition, it is causing verification failures for certain clients, e.g. the Microsoft Crypto API, due to the long time required for downloading the CRL.

The main cause for the large size of the CRLs is the inclusion of *all* certificates revoked since the start of CAcert (in 2003) in there. As a result, most of the certs listed as revoked have expired a long time ago already, and are thus invalid anyway. There is no RFC requirement to include such expired certs in the CRL; omitting them will result in CRLs of a much more manageable size.
Tags:
Steps To Reproduce: The attached logfile shows an example of failure on the Microsoft platform for the command:
    certutil -f -verify -urlfetch -t 30 server.crt
Additional Information: See also http://social.technet.microsoft.com/Forums/windowsserver/en-US/7e69d0d1-1df2-4830-8d22-f887b6261062/cacert-revocation-server-offline?forum=w7itprosecurity
Attached Files: crl-size-issue.log (5,228 bytes) 2014-09-15 14:25
http://bugs.cacert.org/file_download.php?file_id=381&type=bug
EliminateExpired.pl (4,694 bytes) 2018-11-01 13:03
http://bugs.cacert.org/file_download.php?file_id=439&type=bug
EliminateExpired.V2.pl (7,889 bytes) 2018-11-01 13:03
http://bugs.cacert.org/file_download.php?file_id=440&type=bug
Notes
(0005594)
GuKKDevel   
2018-06-06 10:34   
At test.cacert.org is a first workaround available und /home/GuKKDevel/bug-1306/EliminateExpired.pl.

Since the CRL is built from the Database-file index.txt in the directory named in the configfile, above module reads this file and writes them either to the file for eliminated records or to the next index.txt-file, depending on date of revokation and expiration. both are to be younger than 62 days (2 months) in the past.

At this stage after that the files index.txt and index.temp.new have to be renamed manually.
(0005595)
egal   
2018-06-06 10:40   
There is a retention time of three months after the last certificate expired/was revoked before an account can be closed for support. I suggest the same duration for CRL.
(0005597)
GuKKDevel   
2018-06-06 10:57   
aggreed so lets make it 100 days
(0005634)
GuKKDevel   
2018-11-01 13:03   
I did a fix.

appended are two version to choose.
(0005791)
Ted   
2019-04-05 21:33   
Current signer configuration can be found at https://svn.cacert.org/CAcert/SystemAdministration/signer/


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1254 [Main CAcert Website] website content major always 2014-03-02 16:17 2020-05-22 11:30
Reporter: BenBE Platform:  
Assigned To: BenBE OS:  
Priority: high OS Version:  
Status: fix available Product Version: 2014 Q1  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2014 Q2  
Reviewed by:
Test Instructions:
Summary: Update the signed PGP-Message containing the fingerprints of CAcert
Description: Raised by a message on the mailing list there is little apriori information that enables someone distrusting the CAcert class 1 root to verify its integrity and authenticity with the information provided in the root certificate download section (index/3).

Given you can trace a trust path from your OpenPGP key to the one used to sign the message with the information you should be able to fully verify the information on that page. Unfortunately the current signature only covers the MD5 and SHA1 hash of the certificate - which both constitute weak hashes in todays standards.

Thus it'd be nice to have the GnuPG signature be updated to include a much broader set of hashes. See below for more details.
Tags:
Steps To Reproduce: Try to verify the CAcert Class 1 Root certificate and CAcert Class 3 Intermediate certificate only by trusting the information in the block on index/3 while distrusting MD5 entirely and assuming SHA1 to be unreliable.
Additional Information: A better informational block captured in the signature might look like:

---
Fingerprints for the CAcert Class 1 Root certificate:
=====================================================

for a in md4 md5 sha1 ripemd160 sha224 sha256 sha384 sha512 whirlpool; do \
openssl x509 -noout -fingerprint -$a -in class1.pem ; done

MD4 Fingerprint=
    EB:36:C3:01:E3:AC:CE:CE:D1:C1:DF:A5:D8:17:BC:50
MD5 Fingerprint=
    A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
SHA1 Fingerprint=
    13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
RIPEMD160 Fingerprint=
    EA:B7:2F:F1:24:04:4B:57:D4:45:BE:97:E7:3B:CD:92:C2:6D:AE:1D
SHA224 Fingerprint=
    60:1D:E5:E5:56:C9:91:B6:BD:A6:75:43:FB:5C
    73:71:BD:E1:27:FF:A6:84:24:2F:66:F3:16:88
SHA256 Fingerprint=
    FF:2A:65:CF:F1:14:9C:74:30:10:1E:0F:65:A0:7E:C1
    91:83:A3:B6:33:EF:4A:65:10:89:0D:AD:18:31:6B:3A
SHA384 Fingerprint=
    DF:63:0B:17:89:70:CF:75:B1:E2:4E:F0:DD:7B:F5:24
    B6:9D:64:80:6E:D1:EC:07:BF:D5:F7:AB:32:DE:96:51
    9D:46:CC:CA:D3:B3:E3:89:40:6E:7B:A8:2B:55:B4:B6
SHA512 Fingerprint=
    EB:0A:D8:4F:11:B4:B0:8B:F7:6C:78:66:EF:32:84:22
    92:BB:B2:86:2F:B6:FC:49:C0:A3:F8:07:62:9C:A8:F5
    DD:28:A0:DE:7B:0C:04:D5:66:02:0A:C4:FF:2B:A4:4E
    2F:61:2A:A5:8A:1A:E4:CC:AC:E4:86:D2:44:95:2F:C2
whirlpool Fingerprint=
    64:9E:AB:97:59:10:EF:E0:DD:78:D2:A8:B4:B1:D1:6B
    A4:08:39:42:50:F0:1A:A8:6E:38:B4:4A:52:2B:35:75
    ED:98:4A:C9:53:77:BD:DA:E2:18:41:8C:BD:21:41:1A
    EC:53:E2:08:FF:21:31:A2:B2:CF:F3:FB:81:79:AF:D7

Fingerprints for the CAcert Class 3 Intermediate certificate:
=============================================================

for a in md4 md5 sha1 ripemd160 sha224 sha256 sha384 sha512 whirlpool; do \
openssl x509 -noout -fingerprint -$a -in class3.pem ; done

MD4 Fingerprint=
    60:B7:CD:A2:F2:18:55:3F:1B:F0:43:31:A4:06:82:9C
MD5 Fingerprint=
    F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42
SHA1 Fingerprint=
    AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
RIPEMD160 Fingerprint=
    41:A5:08:B6:C7:35:54:58:0E:F6:EE:C1:86:FA:A3:6D:BF:E9:D5:E1
SHA224 Fingerprint=
    90:C6:94:5B:4B:91:D3:72:49:BD:CD:D2:A4:51
    CC:24:A6:E0:8A:1D:ED:1E:E3:C4:53:7C:17:21
SHA256 Fingerprint=
    4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5
    BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
SHA384 Fingerprint=
    DF:92:B7:83:6F:2A:CD:A0:07:9A:0B:14:7C:C8:D5:92
    20:E7:6C:76:61:9A:75:3C:0B:64:D1:3F:13:E3:A5:CB
    C6:81:92:0A:86:62:A0:95:44:03:DE:10:AB:72:1D:B1
SHA512 Fingerprint=
    3C:6E:24:87:E4:9F:43:06:15:E4:E5:7C:9D:8D:67:5F
    36:41:FC:00:3F:7D:95:26:DD:BC:AA:35:DA:6D:5D:B4
    B1:59:03:47:62:BA:BA:4C:29:98:60:42:96:EC:C3:11
    5F:AB:81:2F:04:F0:E4:D4:B2:EE:C6:9C:B3:B8:3B:F1
whirlpool Fingerprint=
    78:64:5C:D2:20:2A:DB:CC:54:3D:26:38:71:E7:17:15
    66:A0:88:47:E3:E2:26:31:B4:CD:63:7B:B1:D2:53:AC
    EE:0B:19:2A:0C:4F:82:6B:AB:8B:14:0F:09:9D:99:BD
    3B:9E:5D:E8:A6:CA:6D:3D:B6:33:08:52:AA:5F:C4:46

Fingerprints for the CAcert OpenPGP signing key:
================================================

LC_ALL=C gpg --list-key --fingerprint gpg@cacert.org

pub 1024D/65D0FD58 2003-07-11 [expires: 2033-07-03]
      Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
uid CA Cert Signing Authority (Root CA) <gpg@cacert.org>
sub 2048g/113ED0F2 2003-07-11 [expires: 2033-07-03]
---

This also gives instructions on how to obtain the information presented in the signature block and thus helping people verify this data.
Attached Files: fix1254.sh (2,813 bytes) 2014-11-13 16:09
http://bugs.cacert.org/file_download.php?file_id=389&type=bug
fix1254-signer.sh (2,793 bytes) 2014-11-13 16:13
http://bugs.cacert.org/file_download.php?file_id=390&type=bug
files-1254.tar.gz (2,657 bytes) 2014-11-13 16:13
http://bugs.cacert.org/file_download.php?file_id=391&type=bug
files_for_certs_folder.zip (2,257 bytes) 2014-11-21 10:38
http://bugs.cacert.org/file_download.php?file_id=392&type=bug
Notes
(0004614)
dominiks   
2014-03-02 21:52   
Actually, the simplest to use (from GPG user perspective) seems to me to sign
the complete key (root.crt, root.der, root.txt) and supply the detached
signature. It is the usual procedure and then you need only GnuPG for
verifying and don't have to verify the hashes, find the bloody openssl syntax
and then compare again manually the hashes.
(0004705)
BenBE   
2014-04-09 21:59   
(Last edited: 2014-04-09 22:02)
Updated version shortened to only include SHA1, SHA-256, SHA-512 and Whirlpool for better compatibility to the average user:

---
Fingerprints for the CAcert Class 1 Root certificate:
=====================================================

for a in sha1 sha256 sha512 whirlpool; do \
openssl x509 -noout -fingerprint -$a -in class1.pem ; done

SHA1 Fingerprint=
    13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
SHA256 Fingerprint=
    FF:2A:65:CF:F1:14:9C:74:30:10:1E:0F:65:A0:7E:C1
    91:83:A3:B6:33:EF:4A:65:10:89:0D:AD:18:31:6B:3A
SHA512 Fingerprint=
    EB:0A:D8:4F:11:B4:B0:8B:F7:6C:78:66:EF:32:84:22
    92:BB:B2:86:2F:B6:FC:49:C0:A3:F8:07:62:9C:A8:F5
    DD:28:A0:DE:7B:0C:04:D5:66:02:0A:C4:FF:2B:A4:4E
    2F:61:2A:A5:8A:1A:E4:CC:AC:E4:86:D2:44:95:2F:C2
whirlpool Fingerprint=
    64:9E:AB:97:59:10:EF:E0:DD:78:D2:A8:B4:B1:D1:6B
    A4:08:39:42:50:F0:1A:A8:6E:38:B4:4A:52:2B:35:75
    ED:98:4A:C9:53:77:BD:DA:E2:18:41:8C:BD:21:41:1A
    EC:53:E2:08:FF:21:31:A2:B2:CF:F3:FB:81:79:AF:D7

Fingerprints for the CAcert Class 3 Intermediate certificate:
=============================================================

for a in sha1 sha256 sha512 whirlpool; do \
openssl x509 -noout -fingerprint -$a -in class3.pem ; done

SHA1 Fingerprint=
    AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
SHA256 Fingerprint=
    4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5
    BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
SHA512 Fingerprint=
    3C:6E:24:87:E4:9F:43:06:15:E4:E5:7C:9D:8D:67:5F
    36:41:FC:00:3F:7D:95:26:DD:BC:AA:35:DA:6D:5D:B4
    B1:59:03:47:62:BA:BA:4C:29:98:60:42:96:EC:C3:11
    5F:AB:81:2F:04:F0:E4:D4:B2:EE:C6:9C:B3:B8:3B:F1
whirlpool Fingerprint=
    78:64:5C:D2:20:2A:DB:CC:54:3D:26:38:71:E7:17:15
    66:A0:88:47:E3:E2:26:31:B4:CD:63:7B:B1:D2:53:AC
    EE:0B:19:2A:0C:4F:82:6B:AB:8B:14:0F:09:9D:99:BD
    3B:9E:5D:E8:A6:CA:6D:3D:B6:33:08:52:AA:5F:C4:46

Fingerprints for the CAcert OpenPGP signing key:
================================================

LC_ALL=C gpg --list-key --fingerprint gpg@cacert.org

pub 1024D/65D0FD58 2003-07-11 [expires: 2033-07-03]
      Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
uid CA Cert Signing Authority (Root CA) <gpg@cacert.org>
sub 2048g/113ED0F2 2003-07-11 [expires: 2033-07-03]
---

@dominiks: Detached signatures for the downloadable files are a ice idea but are impractical in some situations when encoding/line endings differ or other issues on the client side arise for verification. Furthermore does a detached signature only provide one validation - with this somewhat longer text you have different test vectors so you desire to test them or one turns out unreliable.

(0005104)
wytze   
2014-11-13 16:08   
A script has been written which can be used on the signing server to collect all the signatures requested for this issue. The script is attached.
(0005105)
wytze   
2014-11-13 16:13   
On November 12, 2014, the fix1254.sh script has been executed on the signing server. Unfortunately, it turned out that the openssl version in use on the signing server is too old to support the 'whirlpool' digest. Hence the script has been edited to omit the generation of 'whirlpool' fingerprints in the documents to be signed.
The modified script has been attached as fix1254-signer.sh.
The produced signature files have been attached as a compressed tar file named files-1254.tar.gz.
(0005115)
INOPIAE   
2014-11-21 10:41   
(Last edited: 2014-11-21 10:44)
I pushed the fix to https://github.com/INOPIAE/CAcert/commit/c4e1fb4b3d1c155f27679c69728d61918cbb4eeb.
As I had trouble with the automatic CrLf correction I attached the files for the certs folder in files_for_certs_folder.zip
I renamed the file fingerprint-long-complex.txt.asc to cacert-pki-fingerprints.txt.asc



View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1260 [Main CAcert Website] source code block always 2014-03-19 10:39 2020-05-22 11:29
Reporter: BenBE Platform:  
Assigned To: BenBE OS:  
Priority: urgent OS Version:  
Status: needs work Product Version: 2014 Q1  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2014 Q2  
Reviewed by:
Test Instructions:
Summary: Make the source compatible with recent PHP versions
Description: Make the source run at least with PHP 5.5 or more recent
Tags:
Steps To Reproduce:
Additional Information: Current source presented by General Failure.
Attached Files:
Notes
(0004872)
wytze   
2014-06-26 14:36   
Just some samples of running against PHP 5.4 from Debian Wheezy:

HP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/includes/lib/general.php on line 35, referer: https://cacert2.it-sls.de/index.php
PHP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/includes/lib/general.php on line 37, referer: https://cacert2.it-sls.de/index.php
PHP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/www/index.php on line 254, referer: https://cacert2.it-sls.de/index.php?id=4
PHP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/www/index.php on line 255, referer: https://cacert2.it-sls.de/index.php?id=4
PHP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/www/verify.php on line 104
PHP Notice: Undefined index: oldlocation in /www/www/index.php on line 336, referer: https://cacert2.it-sls.de/index.php?id=4

Even with PHP 5,3 on Debian Squeeze, there are already quite some warnings generated:

PHP Deprecated: Function ereg() is deprecated in /www/www/gpg.php on line 461, referer: https://secure.cacert.org/gpg.php?id=0
PHP Deprecated: Function ereg() is deprecated in /www/www/gpg.php on line 465, referer: https://secure.cacert.org/gpg.php?id=0
PHP Deprecated: Function ereg() is deprecated in /www/www/gpg.php on line 483, referer: https://secure.cacert.org/gpg.php?id=0
PHP Fatal error: Call to undefined function GetY() in /www/www/capnew.php on line 1011
PHP Fatal error: Call to undefined function GetY() in /www/www/capnew.php on line 1011, referer: http://wiki.cacert.org/Assurance/CustomizedCAP/DE
PHP Fatal error: Call to undefined method CAPPDF::AddSJISFont() in /www/www/capnew.php on line 1603
PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-16384 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://www.cacert.org/account.php
PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-2432 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://www.cacert.org/account.php
PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-3072 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://secure.cacert.org/account.php
PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-3096 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://secure.cacert.org/account.php
PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-5024 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://www.cacert.org/account.php
PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-8092 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://secure.cacert.org/account.php?id=10
PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-8192 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://www.cacert.org/account.php?id=5
PHP Warning: DOMDocument::load(): CData section not finished\n

<code>German version below</code>

\n

There in /www/pages/index/feed.rss, line: 350 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): CData section not finished\n

[Translations Dutch, German and Spanish see bel in /www/pages/index/feed.rss, line: 89 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Document is empty in /www/pages/index/feed.rss, line: 1 in /www/pages/index/0.php on line 41, referer: https://secure.cacert.org/account.php?id=5
PHP Warning: DOMDocument::load(): Premature end of data in tag channel line 11 in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag creator line 197 in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag encoded line 231 in /www/pages/index/feed.rss, line: 350 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag encoded line 73 in /www/pages/index/feed.rss, line: 89 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag item line 192 in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag item line 212 in /www/pages/index/feed.rss, line: 350 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag item line 58 in /www/pages/index/feed.rss, line: 89 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag rss line 2 in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag rss line 2 in /www/pages/index/feed.rss, line: 350 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Premature end of data in tag rss line 2 in /www/pages/index/feed.rss, line: 89 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Start tag expected, '<' not found in /www/pages/index/feed.rss, line: 1 in /www/pages/index/0.php on line 41
PHP Warning: DOMDocument::load(): Unregistered error message in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
PHP Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /www/includes/general.php on line 82, referer: https://secure.cacert.org/account.php
PHP Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /www/includes/general.php on line 87, referer: https://secure.cacert.org/account.php
PHP Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /www/includes/loggedin.php on line 46, referer: https://secure.cacert.org/account.php
PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /www/includes/general.php on line 618, referer: https://www.cacert.org/account.php
PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /www/includes/lib/general.php on line 41, referer: https://secure.cacert.org/account.php
PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /www/includes/notary.inc.php on line 1291, referer: https://secure.cacert.org/account.php?id=50&userid=297249&csrf=25635229e752b5c92cadbb0eefb455ec&ticketno=a20140322.1
PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /www/www/index.php on line 140, referer: https://www.cacert.org/index.php?id=5

(0004925)
felixd   
2014-08-08 23:38   
I have commits that are suitable for the "ereg" and "Undefined index: oldlocation" errors.

https://github.com/yellowant/cacert-devel/commits/bug-1260


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1440 [Main CAcert Website] source code block N/A 2018-05-24 21:33 2020-05-22 11:29
Reporter: GuKKDevel Platform:  
Assigned To: Ted OS:  
Priority: immediate OS Version:  
Status: needs review Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: link to EU-EEA-DataProtectionDeclaration
Description: we need a link to the EU-EEA-DataProtectionDeclaration
Tags: legal requirement
Steps To Reproduce:
Additional Information:
Attached Files: diff-bug-1440-bug-1440 (1,000 bytes) 2018-10-31 23:34
http://bugs.cacert.org/file_download.php?file_id=438&type=bug
Notes
(0005590)
GuKKDevel   
2018-05-24 21:55   
https://github.com/CAcertOrg/cacert-devel/compare/release...GuKKDevel:bug-1440
(0005623)
Ted   
2018-10-30 20:27   
The target link is https://wiki.cacert.org/Privacy/EU-EEE-DataProtectionDeclaration

The pages in the WiKi were created by Etienne, with some help of others.

I asked Megan (our current Privacy Officer) for a statement, she confirmed that at least the english text is acceptable.

Sent a Mail to Etienne asking about the current status, and his opinion on access restrictions on these pages.
(0005625)
Ted   
2018-10-30 22:23   
(Last edited: 2018-10-30 22:23)
The fix is now installed on https://test.cacert.org and ready for testing.

(0005627)
GuKKDevel   
2018-10-31 06:54   
did a short test.
irritating is that a certificate is asked for.
after giving one - connected with an account- , I am logged in to the wiki and the page is shown

cancel the certificate question the wikipage is shown

question:
can we at a later time integrate this pages into our online-directory?
or at least is the writing access to this wikipages restricted?
(0005629)
GuKKDevel   
2018-10-31 13:43   
tested with kubuntu 18.04 and firefox.
same behavior with win10 and chrome
same behavior with win10 and opera

different behavior win10 and firefox there was no question for certificate
(0005630)
L10N   
2018-10-31 22:59   
tested with Vivaldi 2.0 on Lubuntu 16.04 LTS
it tells something about invalid certs, if I accept to proceed to an unsure site it works.
If Vivaldi works this way, Chrome and Chromium will probabely as well.
(0005631)
L10N   
2018-10-31 23:12   
Can the text of the link be changed from EU-EEE-DataProtectionDeclaration to EU-EEA-DataProtectionDeclaration?
(This is a typo in the wiki URL, as EEA is the European Economic Area) - apperas the text on pootle and can be corrected an translated there?
(0005632)
GuKKDevel   
2018-10-31 23:34   
did the source change
(0005639)
Golffies   
2018-11-02 10:07   
Test report:

1. Tested URL: https://test.cacert.org

2. Hyperlink to GDPR visible in the footer of the main page with the label "EU-EEE-DataProtectionDeclaration".

3. Clicking on that link opens in the same window the page titled "PrivacyEU-EEE-DataProtectionDeclaration".
That page lists 7 languages, whom 4 of them make actually a GDPR declaration available.

4. Clicking on "english" opens in the same window the page titled "Data Protection Declaration for Users in EU & EEA". That page actually contains a declaration of CACert in regards of its users' rights and CACert's obligations under the general data protection regulation.

5. Coming back to the page titled "Data Protection Declaration for Users in EU & EEA" and then clicking on "česky" or "deutsch" directs in a similar way to the same declaration translated into theses respective languages.

6. Coming back to the page titled "Data Protection Declaration for Users in EU & EEA" and then clicking on "italiano" directs in a similar way to the same declaration partially translated into Italian, part of the declaration being displayed in English still.

7. Coming back to the page titled "Data Protection Declaration for Users in EU & EEA" and then clicking on "Български" or "français" or "nederlands" directs to empty pages (populated either by the generic message "This page does not exist yet." either by a message "translation to be completed").

8. Conclusion : the patch works like it should work. Additional work have to be done for completing translations of the GDPR declaration, but this is not what the patch is involved in.

9. Tested with Firefox Quantum 63.


Miscellaneous : that test report was written as a matter of exercise for me, in order to find in the future a trade-off between the quality of software testing required by CACert's policy and the quantity of work it requires from tester. Here, it might happen that the amount of paperwork coming with the patch acceptance far exceeds the quantity of work for writing the patch itself.

May it be enough for a second confirmation test by someone else to states that the same behaviour would have been observed, without more details? I hope so, in order to save time of the next tester.
(0005640)
GuKKDevel   
2018-11-02 11:02   
if the new diff (https://bugs.cacert.org/view.php?id=1440#c5632; EU-EEE-DataProtectionDeclaration to EU-EEA-DataProtectionDeclaration) is installed, the wiki-page(s) must be renamed:
PrivacyEU-EEE-DataProtectionDeclaration to PrivacyEU-EEA-DataProtectionDeclaration
(0005656)
L10N   
2018-11-05 23:43   
The following links are now changed:
https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration
https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/CZ
https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/DE
https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/EN
https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/FR
https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/NL
https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/IT
including the internal links on the top of each page.
(0005659)
GuKKDevel   
2018-11-06 10:54   
L10N proposed to solve bug-1423 i the same test as bug-1440;

Wenn du gerade den Datenschutzlink auf der Cacert.org Seite änderst,
könntest du gleich eine Zeile darüber bei de Sponsorenlogos beim Open
Network Architecture Logo den Link zu
http://www.openarchitecturenetwork.org/ entfernen?

Das Netzwerk existiert nicht mehr und der Link wird zu einer Bank in
Singapur umgeleitet, zu der CAcert keine Beziehung hat. Somit wäre
https://bugs.cacert.org/view.php?id=1423 auch gerade gelöst.

The branch is created and updated
(0005839)
sss   
2019-09-21 15:44   
tested on:
mozilla firefox 69.0.
i do not have wiki account yet.
certificate requested on click (but looks like it does not requested anymore after i logged in to mantis).
i do not see problem in certificate requesting, but if anonymous access to this page must be provided, in case of not providing login certificate page should be displayed too.
(0005840)
sss   
2019-09-21 15:46   
i have logged out from mantis and retry test, certificate does not requested anymore.
(0005841)
sss   
2019-09-21 15:48   
certificate requested again after browser restart, page works in both cases:
1. if i provide login certificate
2. if i decline and does not provide login certificate
(0005842)
SaT   
2019-09-21 18:18   
Tested with FF 69.0 (64 bit) on Linux Mint 19.2. I have a Wiki account.
I startet FF and clicked the link, got a client certi dialog. I pressed ESC and got to the Wiki. Clicked "deutsch" and got to Datenschutzerklärung without more client cert dialog.
I restarted FF and clicked the link, this time I chose my certificate and got into the Wiki (login successful).
I restart FF a third time and opened the link as HTTP. The Wiki link is HTTPS, so it will always request a client cert.

I'm ok with this behaviour (as the privacy declaration can be accessed without certificate).
You could improve it only if the Wiki would allow HTTP and had no Strict-Transport-Security header.
(0005843)
SaT   
2019-09-21 18:33   
Now tested on my LineageOS 14.1 phone (1080 x 1920). I have CAcert root certs installed.
First with FF 68.1.1: Works without client cert dialog, I get to the privacy declaration with 2 clicks.
Strange: Android browser shows the welcome page, but when I click the link it loads the Wiki, but does not display it. There is still the welcome page displayed.
I guess this is an Android/LIneageOS issue and no CAcert bug.
(0005849)
Ted   
2019-10-02 19:26   
So, I take this testreports that this procedure is acceptable. So now, reviews must be done (by the Software Assessors)...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1451 [Main CAcert Website] certificate issuing minor have not tried 2018-11-18 10:01 2020-05-12 18:27
Reporter: Ted Platform:  
Assigned To: OS:  
Priority: low OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: mail addresses
Description:








Reported by dastrath, but translated by me:

"Support regularly received mails from IANA that a mail has been sent to 192.168.x.x. Every time this happens an IANA ticket is created, which is then closed after a few days."

First of all there should be some research if it is possible to provoke mails to be sent to RFC1918 mail addresses on the testsystem. Maybe this can happen during registration of a new account, or by trying to add an IP-address as a domain.

IP addresses should not be accepted as domains at all. I'm quite sure that this is already handled, but I did not test. So, use your imagination and try to get the testsystem to accept (or at least, send a probe mail to) an IP address!
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1039 [Main CAcert Website] web of trust minor have not tried 2012-05-12 16:01 2020-05-12 18:24
Reporter: INOPIAE Platform: Y  
Assigned To: OS:  
Priority: high OS Version:  
Status: needs review & testing Product Version: 2006  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version: 2006  
    Target Version:  
Reviewed by:
Test Instructions: Ggh
Summary: Cyber peretas nomor 085823771018
Description: Cyber muslim
Tags:
Steps To Reproduce: Tfj
Additional Information: Yghh
Attached Files: cap-1.pdf (27,636 bytes) 2012-05-12 20:34
http://bugs.cacert.org/file_download.php?file_id=258&type=bug
cap.pdf (27,473 bytes) 2018-12-16 12:37
http://bugs.cacert.org/file_download.php?file_id=462&type=bug
Notes
(0002993)
MarekMazur   
2012-05-12 18:33   
"Program Uwierzytelniania CAcert
Formularz Weryfikacji To¿samo¶ci"
instead of
"Program Uwierzytelniania CAcert
Formularz Weryfikacji Tożsamości"

"O¶wiadczenie Kandydata"
should be
"Oświadczenie Kandydata"

"Imiê i Nazwisko:"
should be:
"Imię i Nazwisko:"

"Zgadzam siê z CAcert Community Agreement."
should be:
"Zgadzam się z CAcert Community Agreement."

"Okazane Dokumenty To¿samo¶ci ze zdjêciem:"
should be:
"Okazane Dokumenty Tożsamości ze zdjęciem:"

"Miejsce Spotkanie Twarz± w Twarz:"
should be:
"Miejsce Spotkania Twarzą w Twarz:"

"Jestem cz3onkiem spo3eczno¶ci CAcert, zda3em Assurance Challenge, i posiadam conajmniej 100 pkt potwierdzenia."
should be:
"Jestem członkiem społeczności CAcert, zdałem Assurance Challenge i posiadam nie mniej niż 100 pkt wiarygodności."

Also when name contain character from encoding other than iso8859-1 there is also a problem.

Account with name(s) containing non-latin1 characters are not useable.
(0002994)
mat_64   
2012-05-12 20:43   
In the Dutch version there are some inconsistencies: Capitalisation, Use of words, among others. See attached file.
(0002995)
INOPIAE   
2012-05-12 21:00   
Taken from a mail of Guy Scharinger

Hello everybody,

no default detected in the CAP form in French

Cordialement

Guy Scharinger
(0002996)
jjamor   
2012-05-13 12:30   
In the spanish version, I've not seen any special letter problem.

However, a word is not well translated: "veridicado" should be written "verificado".

In pottle terminology, it is correct (verified = verificado)
(0005714)
alkas   
2018-12-16 12:37   
Czech generated version is completely unusable - most letters with diacritic signs are missing! See the example.
(0005739)
Ted   
2019-01-18 21:17   
This issues occur when languages use non cp-1252 characters, like the eastern european (czech, polish, ...).

We should probably use the UTF-8 version of the FPDF library: http://www.fpdf.org/en/script/script92.php
(0005882)
Adakah   
2020-05-12 18:24   
Hhh


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1397 [webstatic] General feature always 2015-08-19 21:50 2020-03-05 08:53
Reporter: MartinGummi Platform:  
Assigned To: BenBE OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: evaluate gitolite3
Description: Debian 8 (jessie) ships gitolite3[1] as successor of gitolite(2.x)

Please Test gitolite3 and migration of the current repositorys

[1] https://packages.debian.org/jessie/gitolite3
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005863)
marthasimons   
2020-03-05 08:53   
Test


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1477 [Main CAcert Website] website content minor always 2020-02-11 13:07 2020-02-11 13:07
Reporter: L10N Platform: all  
Assigned To: OS: all  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: swag.cacert.eu is no more available
Description: As the cacert.eu domain is now redirected to cacert.org, the subdomain swag.cacert.eu is no more available. The issue is, that in the time we distributed or sold coffee cups with a QR quode linking to that sub domain.

I have no idea about the content of this sub domain, as at the internet archive the site is not recorded, but at least it should be redirected to a running service.
Tags: domain, down, merchandising
Steps To Reproduce: Take a cacert.org coffee cup:
https://twitter.com/CAcert/status/1158448103650930690/photo/1

Follow the QR code.
It goes to swag.cacert.eu

At swag.cacert.eu is an error message: Site could not be found. (Seite konnte nicht gefunden werden)
If I change to cacert.eu it is redirected to cacert.org
Additional Information: As this cups are still somewhere, it would be nice to fix or redirect it.
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1447 [Main CAcert Website] block always 2018-11-06 11:26 2020-01-23 10:20
Reporter: pgmillon Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: urgent OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Cannot access main cacert website
Description: Using Firefox 63.0 on Manjaro Linux 18.0 (Kernel Linux 4.14.78-1-MANJARO) I can't access https://www.cacert.org/ website at all to fetch/update my certificates.

Error code is SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
Tags:
Steps To Reproduce:
Additional Information:
System Description Production version of the CAcert website
Attached Files: screenshot.png (35,880 bytes) 2018-11-06 11:26
http://bugs.cacert.org/file_download.php?file_id=446&type=bug
Notes
(0005726)
L10N   
2019-01-03 13:17   
What happens, when you "Add Exception…"?
Can you add an exception?
(0005727)
pgmillon   
2019-01-03 13:30   
Hi,
No I can't add an exception.
(0005728)
pgmillon   
2019-01-03 13:31   
I looks like a combo: algorithm disabled and can't add exception because of HSTS.
(0005729)
L10N   
2019-01-03 13:42   
Have you already tried to replace the root certificate, as described here:
https://wiki.cacert.org/FAQ#New_Root_Certificates
(0005789)
pgmillon   
2019-04-04 09:52   
Re-importing the root certificate within Firefox solved the problem
https://wiki.cacert.org/FAQ?action=AttachFile&do=view&target=CAcert_chain_X0F_X0E.pem
(0005859)
alkas   
2020-01-14 15:00   
Chains, roots, bundles moved to https://wiki.cacert.org/FAQ/NewRoots
after 20190410
(0005860)
h_hucke   
2020-01-23 08:40   
I can't access the main site "https://www.cacert.org/" from germany. "No Route to host". "wiki.cacert.org" which is just a few steps away is accessable. Possibly "bit.nl" has anti DDOS meshures in place?
(0005861)
egal   
2020-01-23 10:20   
There had been an issue on the server which hosts www.cacert.org.

It required a full power-down-cycle to get it running again (after we tried to reboot the server via software yesterday).

Some more details can be found at blog.cacert.org, a deeper root-cause-analysis will be done later the day and published there.

(Small note: This issue has nothing to do with certificate issues on www.cacert.org.)


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1475 [Main CAcert Website] minor always 2020-01-14 15:20 2020-01-14 15:20
Reporter: alkas Platform: Main CAcert Website  
Assigned To: OS: Linux  
Priority: normal OS Version: n/a  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions: Linux; see description
Summary: cacert.org DNSSEC contains links to both old and the new roots
Description: If you use the "host -t TXT _url.root.g1._fp.cacert.org." command referring the old root, you'll get the link "http://www.cacert.org/certs/root.crt"; if you use the "host -t TXT _url.root_X0F.g1._fp.cacert.org." command, you'll get the link "http://www.cacert.org/certs/root_X0F.crt".
Possibly the link is forged from the command.(?)
Both the links are valid, e.g. you can download the old root or the new one.
Tags:
Steps To Reproduce: Linux, see description
Additional Information:
System Description Production version of the CAcert website
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1471 [CATS.cacert.org] User Interface major always 2019-10-17 09:51 2019-10-28 21:59
Reporter: koutras_g@yahoo.com Platform: Default  
Assigned To: Ted OS: any  
Priority: high OS Version: any  
Status: needs feedback Product Version: production  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: https://cats.cacert.org Page error
Description: When I try to access the cats page I get the below error both on Firefox and Chrome (in incognito mode too).

Secure Connection Failed

An error occurred during a connection to cats.cacert.org. PR_END_OF_FILE_ERROR

Thanks,
George
Tags:
Steps To Reproduce: 1. Start the web browser
2. Go to: https://cats.cacert.org
Additional Information:
System Description Default profile.
Attached Files: 2019-10-17_11h50_58.png (29,787 bytes) 2019-10-17 09:51
http://bugs.cacert.org/file_download.php?file_id=469&type=bug
Notes
(0005855)
Ted   
2019-10-28 21:59   
Hmm, cats.cacert.org requests a client certificate when you try to connect. If you don't have a client certificate installed it may well be that this is the resulting error. Not really helpful, but sadly that's rather common in this area...

So, do you have a client certificate installed?


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1305 [Main CAcert Website] certificate issuing major always 2014-09-15 14:07 2019-09-26 18:28
Reporter: wytze Platform: Main CAcert Website  
Assigned To: Ted OS: N/A  
Priority: urgent OS Version: stable  
Status: needs review & testing Product Version: 2014 Q3  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: dastrath, Ted
Test Instructions:
Summary: CAcert Class1 root certificate needs to be reissued with an updated CDP and a SHA-based signature
Description: The CAcert Class1 root certificate (THE CAcert root) is suffering from two operational problems:

1. The CDP (CRL Distribition Point) listed in the root cert is
        https://www.cacert.org/revoke.crl
But since we do not want to distribute the (huge) CRL through our main web server but rather through a specialized CRL server, the main web server is redirecting all requests for the above URL to http://crl.cacert.org. It turns out that some validation software, for example Microsoft's CryptoAPI, is unable to deal with such HTTP redirects, and reports a verification failure.

Also, the use of HTTPS in the CDP is *not* recommended, see RFC5280 http://tools.ietf.org/html/rfc5280, in the section Security Considerations:
   When certificates include a cRLDistributionPoints extension with an
   https URI or similar scheme, circular dependencies can be introduced.
   The relying party is forced to perform an additional path validation
   in order to obtain the CRL required to complete the initial path
   validation! Circular conditions can also be created with an https
   URI (or similar scheme) in the authorityInfoAccess or
   subjectInfoAccess extensions. At worst, this situation can create
   unresolvable dependencies.

So the CDP should be http://crl.cacert.org/revoke.crl.

2. The current root cert is signed with a MD5 hash. While from a security point of view, the quality of the hash algorithm used for such a trusted cert does not matter, from time to time rumours and sometimes even software appear which choke about this. A SHA-256 based signature would kill all such issues right away.

Tags: certificates
Steps To Reproduce: Issue 1 can be demonstrated with a command like this on a Windows 7 system:
     certutil -f -verify -urlfetch server.crt
for some CAcert Class3 issued server certificate. Output of the above command has been added as attachment to this bug entry.

Issue 2 is demonstrated somewhat by the currently open Bugzilla issue for Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1058812
Additional Information: The CAcert Class3 intermediate root certificate has been resigned in 2011 to deal with the MD5 issue (for this cert, being intermediate, it was truly a blocking problem). A similar procedure could be used to resign the CAcert Class1 root. This will likely be a much faster process than waiting for the results of the NRE (New Roots & Escrow) project.
System Description Production version of the CAcert website
Attached Files: crl-redirect-issue.log (5,274 bytes) 2014-09-15 14:07
http://bugs.cacert.org/file_download.php?file_id=380&type=bug
Global Sign.p7b (936 bytes) 2014-10-04 09:58
http://bugs.cacert.org/file_download.php?file_id=384&type=bug
diff-release-bug-1305 (25,355 bytes) 2018-10-31 13:03
http://bugs.cacert.org/file_download.php?file_id=437&type=bug
diff (6,678 bytes) 2018-11-16 15:53
http://bugs.cacert.org/file_download.php?file_id=450&type=bug
CAcert_Root_Certificates_X0F_X0E.msi (1,593,344 bytes) 2018-11-16 15:53
http://bugs.cacert.org/file_download.php?file_id=451&type=bug
CAcert_chain_X0F_X0E.pem (7,503 bytes) 2018-11-18 00:43
http://bugs.cacert.org/file_download.php?file_id=452&type=bug
cacert-bundle_X0F_X0E.crt (16,180 bytes) 2018-11-18 00:43
http://bugs.cacert.org/file_download.php?file_id=453&type=bug
Poznámka 2018-12-03 223514.jpg (57,342 bytes) 2018-12-03 21:36
http://bugs.cacert.org/file_download.php?file_id=454&type=bug
CAcert_Root_Certificates_X0F_X0E.zip (354,216 bytes) 2018-12-14 12:30
http://bugs.cacert.org/file_download.php?file_id=457&type=bug
cap_X0F_X0E.docx (56,714 bytes) 2018-12-14 12:30
http://bugs.cacert.org/file_download.php?file_id=458&type=bug
cap-blank_X0F_X0E.docx (56,816 bytes) 2018-12-14 12:30
http://bugs.cacert.org/file_download.php?file_id=459&type=bug
cap_X0F_X0E.pdf (677,261 bytes) 2018-12-14 12:47
http://bugs.cacert.org/file_download.php?file_id=460&type=bug
cap-blank_X0F_X0E.pdf (602,157 bytes) 2018-12-14 12:47
http://bugs.cacert.org/file_download.php?file_id=461&type=bug
Notes
(0005486)
felixd   
2015-11-25 23:53   
There exists a procedure now that will fix this problem:
https://github.com/CAcertOrg/cacert-procedures/tree/master/rootResignSHA256

It was executed on test data on the FrosCON.
The following Audit report documents this execution:
https://wiki.cacert.org/Audit/Results/session2015.4

Currently the resulting files (re-singed test certificate, intermediate files, etc) are kept with Board that should soon release them to the public.

Therefore we should soon (after enough review) be good to go for the real certificate.
(0005492)
felixd   
2015-12-14 21:58   
We noticed problems related to keeping the serial of the Certificate. We therefore need to adjust the serial number to circumvent "reused issuer and serial"-errors when the Browser has both certificates (i.e. one installed and the other via the SSL Handshake)

I therefore propose:
https://github.com/yellowant/cacert-procedures/commit/a73faf1dbd8d88ebc490bd182db8c4c9e0dccaf2
(0005495)
cilap   
2016-02-05 09:50   
the issue has more pressure in the meanwhile.

On Java and Eclipse I am getting:
svn: E175002: SSL handshake failed: 'java.security.cert.CertificateException: Certificates does not conform to algorithm constraints'

Since oracle has enforced the default handling of rejecting MD2 and MD5 certificates, any SSL connection on Ubuntu 14.04 is failing in combination with a Java VM.
Sadly the implementation is so stupid, that all certificates are getting read in added to the trust store during first connection. And all certificates are checked, not only the once which should be checked on the chain from the server cert up to the root.

Is there any plan on reissuing the root certificate with a SHA fingerprint and to get rid of MD5withRSA

A workaround - but only working till next java update - is to change

vi /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security

and to change to this:

#jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

But this is from security perspective not really nice, that CaCert is still working on his root cert on a "obsoleted" algorithm.

Hope I could help some guys with my report and the workaround description
(0005512)
reinhardm   
2016-03-14 17:00   
Today I added the new roots into the browser.
I am running OpenSUSE and firefox. The roots installed by a mouseckick with no problems. I tried several logins where certificate login is required. All woreked well.
I removed the old roots and made a login to https://bugs.cacert.org with no problems.
I will try further on different browsers and OS versions.
(0005542)
bjobjo   
2017-04-04 16:12   
Hello,
I increased the priority and severity.
Firefox is not accepting any more the Root Certificate, so we have to add an exception for every site that uses CA Cert Authority.

The ticket was opened in 2014 and we still don't have a new root cert.

The whole reputation of CAcert is in danger if the root certs are not secure.

Please do urgently fix this.
Current firefox message for example:

wiki.cacert.org uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
(0005586)
dops   
2018-04-18 21:37   
New signed roots are tested on multiple platforms, see here: https://lists.cacert.org/wws/arc/cacert-board/2018-04/msg00014.html
Some people reported to use the certificates for years without any problems.

Any person left in the software team is welcome to announce where people can continue working.
(0005628)
GuKKDevel   
2018-10-31 13:03   
a diff we started in Feb 2017 (Dirk, Aleš, and me)
(0005638)
Ted   
2018-11-01 22:53   
Golffies left a review at https://github.com/CAcertOrg/cacert-devel/pull/9#pullrequestreview-170861329
(0005660)
Ted   
2018-11-08 08:58   
Benedikt (who was internal Auditor in 2016) has confirmed that the following certificates are the correct ones:

Root:
Serial 0000015
finger print: 07ed bd82 4a49 88cf ef42 15da 20d4 8c2b 41d7 1529 d7c9 00f5 7092
6f27 7cc2 30c5
file:
http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new1.txt

Class 3:
Serial 0000014
finger print: f687 3d70 d675 96c2 acba 3440 1e69 738b 5270 1dd6 ab06 b497 49bc
5515 0936 d544
file:
http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new3.text
(0005663)
Ted   
2018-11-12 10:06   
Benedikt also confirms that from his Point of View the incident during the re-signing ceremony had no influence on the "trustworthyness" of the keys/certificates.

So, even if there were an Arbitration case about the details of the re-signing ceremony (I did not find one yet), I don't see any reason why the re-signed certificates should not be installed.
(0005665)
Ted   
2018-11-12 22:04   
As part of the review process I checked the differences between the "old" and the "new" root certificates:

1. Serial number: Old 0x0, New 0xf
2. Signature Algorithm: Old md5WithRSAEncryption, New: sha256WithRSAEncryption
3. X509v3 Authority Key Identifier: Old contains keyid, DirName and serial, New contains only keyid
4. X509v3 CRL Distribution Points: Old URI:https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl
5. Netscape CA Revocation Url: Old https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl
6. Authority Information Access: Old (not present), New OCSP - URI:http://ocsp.cacert.org
7. The signature obviously differs

Since there is no specification document about the intention of these changes I can only check for harmful side effects and guess about the intentions.

2. and 7. are obviously intended, these are direct concequences of using a different signing alhorithm

1. Is a side effect of re-signing. Since RFC5280 requires that "[The serial number] MUST be unique for each certificate issued by a given CA" the serial number cannot be the same as in the old certificate. The exact value of the new serial number is not critical, as long as it remains unique.

4., 5. and 6. have probably been adjusted to the value which is included in currently issued "normal" certificates. Using http over https to retrieve the CRL makes more sense since the crl itself is signed.

I'm not sure about 3. https://tools.ietf.org/html/rfc5280#section-5.2.1 does not address using the issuer DN in the X509v3 Authority Key Identifier. Current versions of OpenSSL add it only "if the keyid option fails or is not included" (https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html), which is obviously not the case here.
So I guess the issuer DN in Authority Key Identifier is just not used anymore in current software.
(0005666)
Ted   
2018-11-13 22:54   
Wytze has provided a pointer to https://github.com/BenBE/cacert-procedures/blob/root-resign-sha256/rootResignSHA256/procedure.txt

While it does not explain the reasons, it makes clear that the observed changes are intentional.

An additional mail provided by Wytze plausibly explains the reasons of removing issuer and serial from X509v3 Authority Key Identifier. Specifically the serial number must be removed (or adjusted), since the new roots will have different serial numbers, so the serial in Authority Key Identifier would otherwise break the certificate chain.
(0005673)
alkas   
2018-11-15 19:21   
The difference between CAcert Class 3 Root #A418A and CAcert Class 3 Root #0E

Serial number A418A 0E
Signature 29:28:85:ae:44:a9:b9:af:a4... 5a:90:16:d0:36:23:56:64:95...
X509v3 Extensions:
 X509v3 Authority Key Identifier:
  keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
  DirName:/O=Root CA ---
          /OU=http://www.cacert.org
          /CN=CA Cert Signing Authority
          /emailAddress=support@cacert.org
  serial:00

Thus, only #A418A contains the serial number of CAcert Class 1 root # 00.
If the Class 3 Root #0E is used, there is only the http link in the following attribute (identical in both Class 3 roots):
X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access:
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt
(where the file ca.crt contains the Class 1 Root #00)

Now, if the Class 3 Root #0E is used, and the file ca.crt is replaced by Class 1 Root #0F (SHA256 signed),
the Class 3 Root is no more tied with the specific (#00) Class 1 Root.
I have tried this certificate chain on my local network with 2 Web servers, no problems.
The chain is: CAcert Class 1 Root #0F +--> CAcert Class 3 Root #0E --> any certificate issued by Class 3 Root
                                                                  +--> any certificate issued by Class 1 Root
Issued client/server certificates do not contain any serial # of signing root(s).

Do anybody knows any objections against this concept?
(0005675)
Ted   
2018-11-15 20:23   
Hi alkas,

you are completely right, and were just a little bit faster than me in documenting this facts. :-)

As I found out while digging through the documentation, this issue has already been noticed during the tests in 2016, it just was not documented here in the bugtracker, but in some external documents.

Since the issue has been tested in 2016, and the whole thing is quite plausible, once someone explains it to you :-), I don't consider it essential to redo all the tests.

Of course you are nevertheless welcome to replicate the tests and report the results here. But IMHO this is not blocking the continuation of the review.
(0005677)
Ted   
2018-11-15 22:14   
(Last edited: 2018-11-15 22:14)
I had a look at the code changes in the bug-1305 branch from GitHub, and I'd propose a few changes:

* Remove the Windows Installer file CAcert_Root_Certificates_256.msi and the section referring to it. See my mail to the development list for detailed reasons.
* Remove the sections of the "old versions". The history of the root keys is documented in the WiKi page https://wiki.cacert.org/Roots/StateOverview

Of course the WiKi page has to be updated once we roll out bug-1305.

(0005680)
GuKKDevel   
2018-11-16 15:53   
certificates were renamed to correspond to their version, new .msi-installer was added, page to download (pages/index/3.php) was changed to access the new certificates
(0005683)
alkas   
2018-11-18 00:43   
Two more formats:
(0005686)
Ted   
2018-11-19 22:54   
GuKKDevel: The fingerprints in the CAP and COAP forms have to be adjusted to the new root certs. See www/cap* and www/coap*

I'd propose to add a "(since 2019)" text beside the fingerprints, so people may get the idea that the change was intentional...

If you want to discuss this drop a message to the development list.
(0005687)
Ted   
2018-11-23 20:59   
Mental note: The updated certificates have to be installed on the signer machine also!
(0005688)
wytze   
2018-11-24 08:22   
With respect to note https://bugs.cacert.org/view.php?id=1305#c5687 :
I agree that for consistency the updated root certificates should also be installed on the signer machine, but please note that for the operation of the signer this does not make any difference. The certificates issued by the signer only depend on the ssl configuration files and the root private key; the root certificate has no influence on this. The practical consequence of this is that installation of the updated root certificates can be postponed (or advanced) to a convenient moment (i.e. the need for other maintenance on the signing server), and does not have to be coordinated with the publication/installation of the updated roots on the webdb server.
(0005690)
Ted   
2018-11-28 11:21   
GuKK: I merged your changes (only the cap*/coap*-Files) into the test-1260 branch which is installed on the testserver.

Now you can open the CAP forms in the testserver, and you'll see the next problem: The SHA256 checksums are considerably longer than the old MD5 ones.

So we'll probably need them on two lines. But then we have to make sure that the resulting form still fits one A4 / Letter page (at least when using the english form)... So, probably, you'll have to dig around a bit more... :-(
(0005691)
GuKKDevel   
2018-11-30 13:16   
worked on cap.php
split fingerprint line into two
form fits to A4 and letter

all other cap*/coap*-files: couldn find a link to them so waiting for answer from Wytze, who designed them.
(0005692)
wytze   
2018-12-02 08:10   
There appears to be a serious misunderstanding here ... I am *not* the author or designer of the cap/coap files. Inside for example capnew.php you can find a statement about the origin of these files:

/*
** Created from old cap.php 2003, which used the now obsoleted ftpdf package
** First created: 12 July 2008
** Last change: see Revision date
** Reviews:
** printed text by Ian Grigg and Teus Hagen (July 2008)
** layout/design by Teus Hagen and Johan Vromans (July 2008)
** coding by Teus Hagen and ...

Teus Hagen, former president of CAcert Inc. is the main author as far as I remember, but he is not involved anymore with CAcert. These files were meant as a replacement for the old forms, which are based on software which was already obsolete in 2008, and even more so in 2018. But nobody in software was ever prepared to spend some time to switch over to the new versions. So they are in the source tree, but not actually used.

There is no urgent need to update these files. If someone ever decides to switch over to them, adjusting the fingerprint text will be a minor effort.

By the way, I am kind of surprised that the fingerprint layout issue has been raised. There is no real need to display SHA256 fingerprints rather than SHA1 fingerprints for the new roots, the hash algo for the fingerprint does not need to match the hash algo of the certificate's signature (note that currently they also don't match: MD5 vs SHA1). Just updating the SHA1 fingerprints would have been fine I think.
(0005693)
Ted   
2018-12-03 20:25   
Hmm, I checked what I had in easy reach to find out which kind of fingerprint/checksum is shown by different software:
Windows 7: SHA1
Windows 10: SHA256
Firefox: SHA1 & SHA256

So, I guess it's OK to move to SHA256 only fingerprints on the CAP forms...
(0005694)
Ted   
2018-12-03 20:36   
GuKK: The PDF in letter format is quite full now... Is it easy to reduce the space above the upper box a bit (maybe half), so there's a bit of reserve at the bottom? Some translations need nore room than the english document...

And, when looking at the german PDF I noticed that at least the CCA agreement term is set in block, which does not look very nice here. It has probably been so forever, but, as above, if it is not much work please change this to ragged margin ("Flattersatz") while we are at it.

Once more, both of these are nice to have. I'd prefer to get the certs online without these changes in December to getting them online with the changes in January...
(0005695)
jandd   
2018-12-03 20:40   
openssl 1.1.0g x509 -fingerprint: SHA1
JDK 8 keytool -printcert: SHA1 & SHA256
gnutls 3.5.18 certtool --fingerprint: SHA1

I suggest to put both SHA1 and SHA256 fingerprints on the CAP forms
(0005698)
alkas   
2018-12-03 21:36   
AFAIK, Windows 10 shows SHA1 fingerprint, too - in system cert. viewer - mmc, module Certificates, select and open cert., view Details, at the end is Fingerprint.
(0005699)
GuKKDevel   
2018-12-07 12:27   
Ted: It is designed explicitely to place the two boxes "Applicant's Statement" and "CAcert Assurer" at exact the positions where they are, we shouldn't change that.

The other point: if we make this line two for all languages there is no problem. else I need to find out how to mask a space/blank or we have to change the pootle-files for appening a space to one literal.
I tried some versions a whole day. (I think we should not implement this for the moment)
(0005700)
Ted   
2018-12-07 22:48   
As decided on today's meeting (https://wiki.cacert.org/Software/Meeting/20181207) we want to add SHA1 fingerprints.

The rest of the formatting issues is considered low priority.
(0005701)
GuKKDevel   
2018-12-10 13:13   
ted: fingerprints asre at the CAP-form. please check and if correct add to testserver.

https://github.com/CAcertOrg/cacert-devel/pull/19/commits/ca4e5f03eef4a8a174437fb065a967ce92dab847
(0005702)
Ted   
2018-12-12 19:38   
Current changes are installed on the testserver in branch test-1442.

I checked the german and the english PDF, both are OK, the SHA1 fingerprints match with what I get shown on Windows 7.

Now we need at least two test reports of other people (not the developer and the reviewers), so please test the CAP forms on https://test.cacert.org/index.php and leave reports!
(0005703)
bdmc   
2018-12-13 15:28   
Where do I find documented the appropriate fingerprints for the SHA-256 Root and Class 3 certificates? I would expect them to be noted in this "Bug" documentation, perhaps in the "Instructions for Testers," so that testers could confirm the values found on forms and other places.
(0005704)
bdmc   
2018-12-13 15:29   
I see on the US-English CAP Form that the address is "Oatley." Is this correct?
(0005705)
bdmc   
2018-12-13 15:31   
I see the following values on the CAP PDF.

SHA256: root: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
and class3: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544
(0005706)
kronenpj   
2018-12-13 21:57   
The SHA1 and SHA256 checksums are correctly represented in the CAP files, based on the certificates attached as https://bugs.cacert.org/file_download.php?file_id=452&type=bug and https://bugs.cacert.org/file_download.php?file_id=453&type=bug. I did not check the .msi file.
(0005707)
L10N   
2018-12-13 22:03   
I found this overview on the wiki:
https://wiki.cacert.org/Roots/StateOverview
(0005708)
L10N   
2018-12-13 22:59   
No, Oatley is outdated. The current address is:
Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia
(0005709)
GuKKDevel   
2018-12-14 11:39   
Changed the address of CAcert Inc. and changed the sha1-fingerprints presentation from 2-char plus colons to 4-chars plus space.
(0005710)
alkas   
2018-12-14 12:30   
The new version of CAcert root certificates (zipped) and Czech new versions of CAPs. Please have a look.
(0005711)
alkas   
2018-12-14 12:47   
PDF versions:
(0005712)
L10N   
2018-12-14 13:11   
I tested CAcert_Root_Certificates_X0F_X0E.zip
- on Windows 10 Pro, version 1803: unzip, start, there was a warning with a button to abort, i clicked on more information to see another button to proceed anyay, what I did. The I uninstalled the root certs. It finished with an error message :"Error." and two buttons: Yes, No. I clicked on Yes, closed the installer.
I restarted the installer. As there were no more CAcert roots certs installed, a window asked me to accept the root distribution license. I did, installation was successfull.

- on Windows 7 Starter 6.1 version 7601: Start the installer, security warning, accept licencese, install process with an window telling me information about the cert beeing installed. clicked OK. installation was successfull
(0005713)
L10N   
2018-12-14 14:39   
Aleš wrote (by mail): "It’s better to install the roots as anybody with the Administrator’s rights, The Yes-No dialog then will not appear, I guess."

As I have no admin rights on my emplyers PC, I cannot re-test it this way.
(0005715)
Ted   
2018-12-16 21:40   
New changes are installed on the testserver: Corrected CAcert postal address and format of fingerprints in the CAP forms
(0005738)
bdmc   
2019-01-18 21:13   
Just examined the test server, and the current version appears correct.

The certificate SHA-256 fingerprints on Page 3, and all four CAP forms, agree in format and content.

The certificate downloaded also appears correct, with the correct serial number and SHA256.

The four CAP forms have the correct mailing address.
(0005740)
alkas   
2019-01-21 16:08   
The Wiki pages /CapHTML and /CoapHTML contain both old signatures and CAcert's "classical post" address in Australia.
(0005741)
L10N   
2019-01-21 22:16   
The Wiki page /CapHTML is updated as follows:
- old Oatley postal address replaced by Murwillumbah address
- new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out)

The Wiki page /CoapHTML is updated as follows:
- very old Denistone East postal address replaced by Murwillumbah address
- new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out)

Finterprints added to both forms:
class 1: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5
class 3: A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0
(0005770)
Ted   
2019-02-14 20:43   
merged updated release branch into bug-1305
(0005771)
Ted   
2019-02-14 21:23   
(Last edited: 2019-02-14 21:24)
Karl-Heinz, can you add the SHA1-fingerprints to pages/index/3.php and set CAcert's correct postal address in
www/cap.html.php
www/capnew.php
www/coap.html.php
www/coapnew.php

Though I don't know exactly when these pages are used, we should not have documents with the outdated postal address on the main server.

The c(o)ap* files also miss the SHA1 fingerprint. I'd propose to add them while you are already at it. But that's less important at the moment, if problems (for example with formatting) should occur please just add a note here and concentrate on more important things.

(0005780)
bdmc   
2019-03-08 01:24   
I have updated the address in all of the above four files.

However, they also appear to contain the SHA1 fingerprints already. Perhaps someone else did that.
(0005781)
Ted   
2019-03-12 22:51   
Changes are merged into test-1442 branch and installed on https://test.cacert.org
(0005782)
Ted   
2019-03-17 22:28   
Brian, in pages/index/3.php the sha1 checksum is still missing. Can you add it?
(0005783)
bdmc   
2019-03-19 18:23   
Done and checked in.
(0005784)
Ted   
2019-03-31 13:31   
(Last edited: 2019-03-31 13:37)
Brian pointed me to the GPG signed message on the key download page (pages/index/3.php), which still uses the old fingerprints.

Since at the moment I don't know who may create a new message of this kind (access to the signer machine would probably be needed!) I asked Brian to remove the message from the page.
If we find a way to create a GPG message with the new fingerprints (now or later) it would make sense to add it once more.

The second GPG message is, more or less, a "self signature of the GPG key". While IMHO this is not really useful, does not hurt, so I'd keep it.

(0005785)
bdmc   
2019-03-31 14:33   
In one of my versions of my "fix," I had removed that heading, but in the final one I had put it back.

It is now moved to within the "commented out section," and a comment has been added, trying to explain what we did.

All checked in.
(0005786)
Ted   
2019-03-31 15:07   
Great! I'll have a look at it during the next hours...
(0005787)
Ted   
2019-03-31 18:37   
Reviewed commit da4c71a246b80f399f3a12823ac03fa8c40f42bb versus current release commit 8ab79aad9fd3685129060854340dccd5dbf01a1d

Though some formatting problems remain, especially in www/capnew.php the review is PASSED
(0005788)
wytze   
2019-04-01 12:46   
With respect to https://bugs.cacert.org/view.php?id=1305#c5784:

The procedure for generating these GPG signatures is documented in https://bugs.cacert.org/view.php?id=1254

The script mentioned there was left on the signer after its execution on Nov 11, 2014, and could be run again after installing re-signed certs on the signer. Obviously this does require visit to the signer machine by two critical system administrators and one access engineer.
(0005790)
egal   
2019-04-05 20:39   
There are some format issues (especiall in www/capnew.php), but as this CAP-form is (normally) not in use, the review is PASSED.

PGP/GnuPG-signatures are currently commented out, but can be added at a later time (as this requires a visit of the signer, can be done together with another bug).
(0005792)
Ted   
2019-04-07 12:43   
Sent patch request to critical team, but without CAcert_Root_Certificates_X0F_X0E.msi, since I don't know how I should review that...
(0005793)
wytze   
2019-04-10 10:19   
The patches have been installed on the production server on April 10, 2019, including the re-signed root certifcates.
See also the log message sent to the cacert-systemlog mailing list here: https://lists.cacert.org/wws/arc/cacert-systemlog/2019-04/msg00002.html
(0005794)
wytze   
2019-04-10 10:21   
See note https://bugs.cacert.org/view.php?id=1305#c5793
(0005795)
wytze   
2019-04-10 10:30   
One thing to note: since the patch has added the re-signed root certificates with new names to the system and left the old root certificates in place under their original names, it is still possible that users and applications retrieve the old root certificates. And observing the Apache2 access log, this is indeed the case -- clearly there are some applications which have
these names/paths built-in. They will not benefit from this patch.
To tackle this problem, one could consider to change the old certificates to copies of their new counterparts, so users and applications will retrieve the new version irrespective of the name/path used.
(0005796)
Ted   
2019-04-10 18:54   
According to Wytze's note I re-open this case to create a follup-up patch.
(0005797)
Ted   
2019-04-10 19:03   
(Last edited: 2019-04-10 19:04)
Probably the easiest solution will be to rename the old certificate files to something else (like root_X00.* and class3_XA418A.*) and copy the new files to the old names also. So in the future we'll use root.* and class3.* for the "current" certificates, and in addition make the whole history of certificates available using the names with attached serial numbers.

(0005798)
bdmc   
2019-04-11 00:05   
As discussed above, I have renamed the old certificate files to include their Serial Numbers in the file name.

I have also copied the current, latest, certificate files to "root.crt" and "class3.crt" to allow for systems that do not properly follow the URI.
(0005799)
bdmc   
2019-04-11 00:06   
Changed and checked in as per your notes.
(0005800)
alkas   
2019-04-11 17:27   
I have CAcert to issue a new certificate yesterday evening. I have received the following E-mail then, containing two fingerprints of CAcert root(s?).
The first fingerprint belongs to unknown certificate, and the second fingerprint belongs to the old Class 1 root.
I guess that should be corrected.
----
Hi Aleš,

You can collect your certificate for alkas@volny.cz by going to the following location:

https://www.cacert.org/account.php?id=6&cert=645849

If you have not imported CAcert's root certificate, please go to:
https://www.cacert.org/index.php?id=3
Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

Best regards
CAcert.org Support!
(0005801)
wytze   
2019-04-12 08:57   
With respect to https://bugs.cacert.org/view.php?id=1305#c5800 :
- the first fingerprint shown is the MD5 fingerprint of the "old" root certificate
- the second fingerprint shown is the SHA1 fingerprint of the "old" root certificate
- clearly these messages should be replaced by:
  SHA256 fingerprint: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
  SHA1 fingerprint: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5
- the affected source file is CommModule/client.pl
(0005802)
bdmc   
2019-04-12 16:16   
client.pl has been corrected and checked in.
(0005803)
Ted   
2019-04-15 19:52   
(Last edited: 2019-04-15 19:53)
A grep for the old fingerprints returns more hits in files www/ttp.php, pages/index/3.php and pages/index/16.php. 3.php and 16.php include the fingerprint also in a PGP signed message, which should be commented out completely...

(0005804)
bdmc   
2019-04-26 14:08   
There is a reference in 16.php to 17.php, which is intended to install the Microsoft Certificate.

Should this be removed?
(0005805)
bdmc   
2019-04-26 14:25   
Files ttp.php and 16.php have been corrected and checked in.

The reference found in 3.php is inside the commented out message about the GPG signature.
(0005809)
Ted   
2019-05-14 20:17   
The fixes of bug-1305 branch have been merged into the (old) testserver. Please try and check if the reported problems of wytze and alkas (and myself) are fixed, and report here!
(0005810)
alkas   
2019-05-25 21:03   
There are the old fingerprints in letters as this:
--------------------------------------
Hi <user>,

You can collect your certificate for <user-email> by going to the following location:

https://www.cacert.org/account.php?id=15&cert=797035

If you have not imported CAcert's root certificate, please go to:
https://www.cacert.org/index.php?id=3
Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

Best regards
CAcert.org Support!
(0005811)
L10N   
2019-05-26 18:18   
Where is the text of this e-mail stored?
(0005812)
GuKKDevel   
2019-05-27 08:29   
Message comes from -> CommModule/client.pl
(0005813)
GuKKDevel   
2019-05-27 08:55   
should be correct see https://github.com/CAcertOrg/cacert-devel/blob/bug-1305/CommModule/client.pl
(0005814)
bdmc   
2019-05-31 04:40   
client.pl should have been corrected in the April 12th check-in.
(0005815)
Ted   
2019-07-04 23:05   
After some hassle, the (old) testserver is now running the modified client.pl

I created one certificate, and the mail (on mgr.test.cacert.org:14843) contained the new checksums. It looked acceptable, though not really nice...

Any other test reports?
(0005845)
Ted   
2019-09-26 18:28   
I updated https://wiki.cacert.org/Roots/StateOverview to match the current status...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1468 [Infrastructure] general major always 2019-09-26 09:32 2019-09-26 10:39
Reporter: drtjstone Platform: Main CAcert Website  
Assigned To: egal OS: N/A  
Priority: normal OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Getting SSL_ERROR_HANDSHAKE_FAILURE_ALERT on Firefox and other certificate problems
Description: See attached screenshot from logging into main site.
Tags: browser, server certificates
Steps To Reproduce: Logging into the main site or https://cats.cacert.org/
Additional Information:
System Description Production version of the CAcert website
Attached Files: Screenshot 2019-09-26 at 10.20.09.pdf (290,916 bytes) 2019-09-26 09:32
http://bugs.cacert.org/file_download.php?file_id=468&type=bug
Notes
(0005844)
jandd   
2019-09-26 10:28   
@dirk could you check the certificate chain for the blog container's Apache httpd? Maybe it still has the old intermediate/class3 and root/class1 certificates.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1467 [Main CAcert Website] certificate issuing major always 2019-09-19 19:54 2019-09-20 17:46
Reporter: tim.devries Platform: Default  
Assigned To: OS: any  
Priority: urgent OS Version: any  
Status: new Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Code signing cert access not showing within website.
Description: Background: I have 100 points from several years ago. I’ve filled out the request to get it enabled. No response.

Is anyone needed to look after this? I can devote time to it.
Tags:
Steps To Reproduce: Login under my username/password.
Additional Information: Please email for credentials to confirm, if allowed/necessary.
System Description Default profile.
Attached Files:
Notes
(0005838)
Ted   
2019-09-20 17:46   
Part of the current problem is that support is seriously understaffed.

Sadly this cannot be easily remedied, since support staff members need some additional requesites (a background check), which takes several months to complete if enough Arbitrators are available to do the job.

I'll try to push your application by personal contact, but cannot promise anything...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1430 [Main CAcert Website] block always 2017-12-07 11:06 2019-09-10 21:35
Reporter: HansMaulwurf Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: solved? Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: Ted
Test Instructions:
Summary: e-mail verification fails on TLS1.2 only mx severs.
Description: When you add an new email address to your profile, the verification will fail on secure mail server.
Because the outgoing cacert mail server can't handle TLS1.2 only servers.
Tags:
Steps To Reproduce: 1. add an new email address to your profile
2. the verification process fails.
Additional Information: Here the log of an example mx server:
Dec 7 11:56:41 system postfix/smtpd[14310]: connect from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:43 system postfix/smtpd[14310]: SSL_accept error from tverify.cacert.org[2001:7b8:3:9c::247]: -1
Dec 7 11:56:43 system postfix/smtpd[14310]: warning: TLS library problem: 14310:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Dec 7 11:56:44 system postfix/smtpd[14310]: lost connection after STARTTLS from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:44 system postfix/smtpd[14310]: disconnect from tverify.cacert.org[2001:7b8:3:9c::247]
Attached Files:
Notes
(0005564)
jandd   
2017-12-07 12:13   
tverify is an alias of http://wiki.cacert.org/SystemAdministration/Systems/Webdb
(0005565)
egal   
2017-12-07 12:31   
The support of TLSv1.1 is mandatory according to HIPAA guidance.

(Nevertheless we should be able to send mails to TLS 1.2-Mailservers ... I'll run some tests to my own mailserver).

Many thanks for giving this information ... I'll pass this to support for cases, where the ping-mail wasn't received ...
(0005566)
wytze   
2017-12-09 08:56   
There are two steps in verifying a new e-mail address supplied by a user.
The first step is carried out by the CAcert application itself, by setting up a connection to the required mail server (see the checkEmail function in includes/general.php).
The second step is done by actually sending an e-mail through the Postfix mail server running on the webdb server.
In this particular case, the second step is never reached because the first step fails.
I am suspecting that the failure of the first step may be due to running a fairly old version of PHP (5.4.45) on the webdb server. When we upgrade the webdb server to the current Debian oldstable release, PHP will be upgraded to 5.6.X, which *might* resolve this issue.
This Debian release upgrade needs to be done some time soon, but it will also be the last possible Debian release upgrade without a serious rewrite of the CAcert application -- that application is barely suitable for running on PHP 5.6, but nothing more recent.
(0005567)
wytze   
2017-12-09 09:00   
By the way, the connect from tverify.cacert.org is due to the lack of configurability of the CAcert application code -- the PHP code does not support specifying the IPv4 or IPv6 address from which this outgoing connection is made, it simply picks one of the available ones :-(
The Postfix server is more well-behaved, it can be and is configured to use the www.cacert.org IPv4/IPv6 addresses.
(0005603)
wytze   
2018-06-20 14:51   
With PHP 5.6.33 present on the current CAcert servers, this issue can be fixed with the following patch:

diff --git a/includes/general.php b/includes/general.php
index 902623a..d1431bc 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -768,7 +768,7 @@
                                }

                                $transcript .= "- Establishing encrypted connection\n";
- stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+ stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

                                $transcript .= "! C->S: EHLO www.cacert.org\n";
                                fputs($fp, "EHLO www.cacert.org\r\n");

This has been verified with a test on test.cacert.org, adding a new mail address for a mail server which was configured to only support TLSv1.2, Without the code change shown above, the connection would fail; after adding the code change, the connection succeeded and the e-mail address could be added.
(0005604)
wytze   
2018-06-20 14:52   
diff --git a/includes/general.php b/includes/general.php
index 902623a..d1431bc 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -768,7 +768,7 @@
                                }

                                $transcript .= "- Establishing encrypted connection\n";
- stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+ stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

                                $transcript .= "! C->S: EHLO www.cacert.org\n";
                                fputs($fp, "EHLO www.cacert.org\r\n");
(0005605)
wytze   
2018-06-20 14:58   
Please test the fix installed on test.cacert.org against another mail server which is configured for TLSv1.2 only
and report the result here.
Please review the code change, which is based on information in https://secure.php.net/manual/en/function.stream-socket-enable-crypto.php .
(0005614)
Ted   
2018-10-22 20:25   
(Last edited: 2018-10-22 20:27)
Since we currently cannot push commits from the testserver I created the "usual" branch bug-1430 with Wytze's proposed changes on git.cacert.org and Github.

This branch has been merged into the testserver branch, which in turn was pulled to the testserver. So now the testserver looks like before (including Wytze's changes), but Git is clean. Or at least I hope so. :-)

So once testing and review is finished bug-1430 can easily be merged into the release branch.

(0005619)
Ted   
2018-10-29 19:50   
The change is so small I cannot find anything to comment...

The review is PASSED
(0005681)
egal   
2018-11-16 18:37   
I tested it in my own environment to my mailserver, and it worked.

There are no real codechanges, only a parameter-change for one command mails can be sent to mailservers using TLS 1.2 or TLS 1.1 only.

Therefore: Review is passed from my site, too.
(0005682)
egal   
2018-11-16 18:39   
This change can be implemented on the production server.
(0005767)
Ted   
2019-02-13 19:38   
Patch sent with change request to critical admins.

Waiting for confirmation before merging the bug-branch into release...
(0005768)
wytze   
2019-02-14 10:43   
The fix has been installed on the production server on February 14, 2019. See also https://lists.cacert.org/wws/arc/cacert-systemlog/2019-02/msg00002.html
(0005769)
Ted   
2019-02-14 20:38   
Branch merged into release branch.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1427 [Main CAcert Website] certificate issuing major always 2017-06-19 22:05 2019-09-10 21:33
Reporter: ntiemare0 Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: normal OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Unable to obtain certificate through API/CCSR.php
Description: I have been trying to automate the issuing of my CA certs, using the api found at cacert.org/api/ccsr.php

I'm creating the CSR and requesting the cert through PHP and Curl, passing the information though post. but, instead of returning the certificate, it responds with "404,Your certificate request has failed. ID:" and when i check my CA listing page, it lists a "pending" cert with no serial.

I've double and triple checked everything, but can't seem to get it to work.
Tags: api Client Certs
Steps To Reproduce: following the parameters at https://wiki.cacert.org/Software/CertApi, submit an HTTP request for a CA Cert. see attached file for used php code.
Additional Information:
System Description Production version of the CAcert website
Attached Files: auto_cert.php (1,438 bytes) 2017-06-19 22:05
http://bugs.cacert.org/file_download.php?file_id=420&type=bug
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1460 [Main CAcert Website] account administration minor always 2019-02-27 21:00 2019-02-28 10:36
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Show mailserver error when creating new account
Description: When creating a new account, and the check of the mail address fails because of the mailserver not accepting the address. currently only "Failed to make a connection to the mail server" is shown as error message.

Showing the reason why the mailserver rejected the address would help in support to give some advise to the potential new member.

Until 0001288 the error line of the mailserver was shown if the check failed in the last "RCPT TO..." step. The commit 86c04b83870dc547fdcef25f91b1bc3b1de53619, which effectively removed the message, looks like this may have been accidentially due to copy/paste procedures.

The easiest solution of this issue would be to remove the lines 624 to 627 in the commit above. But when tackling this issue, maybe the error reporting could be improved in more situations...
Tags:
Steps To Reproduce: Try to create an account for an existing domain, not non existing account. Thesystem reports "Failed to make a connection to the mail server" but should mention something like "550 Requested action not taken: mailbox unavailable".
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1457 [bugs.cacert.org] misc minor always 2019-01-27 14:46 2019-02-25 22:07
Reporter: Ted Platform:  
Assigned To: egal OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Please increase session timeout on bugs.cacert.org
Description: Hi, could the session timeout on bugs.cacert.org be increased? It looks like it is currently something around 15 or maybe 30 minutes.

It is very frustrating when I try to write a comment, looking up some things to make sure I don't tell bullshit, just to have to start all over again because of a session timeout message.

I'd ask for an absolute minimum of 1 hour for the timeout, but preferable it should be 4 or even 8 hours.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005756)
jandd   
2019-01-27 15:52   
Hello Dirk, I do not know Mantis well enough to help here. Do you know how to increase the session timeout?
(0005759)
wytze   
2019-01-30 07:58   
This is an annoyance indeed. What happens to me fairly often is that I open a particular bug page in my browser, leave it there for a couple of hours while looking into the actual problem (and possibly get distracted by other stuff), then return to the open page and add a comment -- which fails due to the timeout, and all data entered is lost :-(
Even with a much longer timeout one might run into this trap, the safest solution is to refresh the page in the browser before entering new data. But it's easy to forget ...
(0005762)
egal   
2019-02-01 15:38   
I just changed the timeout-variable for mantis from 5 minutes to 30 minutes. Please verify, if the timeout is now extended ... we should then find a consens between security and comfortability ...
(0005773)
Ted   
2019-02-14 22:26   
Test, last action was 22:50
(0005779)
Ted   
2019-02-25 22:07   
I just found out that the default refresh time seems to be set to 30 minutes. So, maybe setting the timeout to 35 minutes will prevent most of the incomfortabilities? At least I just set my refresh timeout to 10 minutes, so I should already be on the safe side... :-)

BTW, what is the attack scenario which is prevented by a short timeout? It's hard to judge "security" without knowing what may happen...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1459 [Main CAcert Website] my account major always 2019-02-22 11:37 2019-02-25 21:33
Reporter: wytze Platform: Default  
Assigned To: GuKKDevel OS: any  
Priority: immediate OS Version: any  
Status: fix available Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: e-mail verification fails for many addresses since upgrade from PHP 5.5 to PHP 5.6
Description: e-mail verification fails for many e-mail addresses since the upgrade of PHP 5.5 to PHP 5.6 on the CAcert main webserver.
This is due to the fact that PHP 5.6 has introduced a new parameter for setting up TLS/SSL connections, verify_peer_name, which is set to TRUE by default:

http://php.net/manual/en/context.ssl.php#refsect1-context.ssl-changelog says

5.6.0 Added peer_fingerprint and verify_peer_name. verify_peer default changed to TRUE.

As a result, any mail address which is served by a mail server which has been setup with a certificate whose CN does not match the MX name, will fail the checkEmail() validation in www/includes/general.php. The error message logged on the server (but not shown to the user :-() is (mailserver.domain.name and mx.domain.name are hypothetical names here):

PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=`mailserver.domain.name' did not match expected CN=`mx.domain.name'

While such a mail server setup is not 100% clean, it is very common, especially with hosters hosting many different domains, and CAcert users should be able to get their e-mails verified for such domains (like they were in the past, when PHP 5.5 was still deployed).
Tags:
Steps To Reproduce:
Additional Information: The following code fix solves this problem:

--- general.php.org 2019-02-14 09:17:44.753793847 +0100
+++ general.php 2019-02-22 12:35:20.403100537 +0100
@@ -593,6 +593,7 @@
                                $fp_opt = array(
                                        'ssl' => array(
                                                'verify_peer' => false, // Opportunistic Encryption
+ 'verify_peer_name' => false, // Opportunistic Encryption
                                                )
                                        );
                                $fp_ctx = stream_context_create($fp_opt);
System Description Default profile.
Attached Files:
Notes
(0005774)
wytze   
2019-02-22 11:39   
(Last edited: 2019-02-22 11:42)
Due to the severity of this problem, which affects many domains as proven by a quick scan of the error logs for this specific message, the code fix listed in the Additional Information section has been deployed immediately on the production server as an emergency patch. Testing is therefore only possible on the test1.cacert.org server.

(0005775)
wytze   
2019-02-22 16:21   
Retrospective log analysis of the production server reveals that this failure has occurred 9580 times, between Apr 16 16:08:39 2018 and Feb 22 11:46:52 2019. Hence an emergency patch seems justified here.
(0005776)
wytze   
2019-02-22 16:23   
For proper testing on test.cacert.org, the checkEmailDummy function needs to be eradicated!
(0005777)
Ted   
2019-02-25 21:31   
Created new branch bug-1459 with Wytze's changes and pushed it to github and git.cacert.org.

Created new test branch test-1459 with enabled mail checking and checked it out on test.cacert.org. Note that Wytze's changes are not yet merged in, so it is now possible to to tests with the old version of mail checking.
(0005778)
Ted   
2019-02-25 21:33   
Reviewed the change. It is PASSED because there is no policy stating that SSL certificates of mail servers are checked strictly. Usually we even accept unencrypted mailserver connections...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1456 [Main CAcert Website] organisational section minor always 2019-01-22 21:39 2019-02-14 21:35
Reporter: L10N Platform: Default  
Assigned To: GuKKDevel OS: any  
Priority: high OS Version: any  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: COAP web form is broken
Description: When I try to finish "https://wiki.cacert.org/CoapHTML" by using the
button "Submit the form: generate PDF file", I receive an error message:
"pdf.cacert.eu" could not be found.
The URL, that doesn #t work:
https://pdf.cacert.eucacertpdf.php?name=Patent-+und+Rechtsanwaltskanzlei+..."
What can I do to make it working?
Tags: coap, organisation assurance, Wiki
Steps To Reproduce: 1. open the web form at "https://wiki.cacert.org/CoapHTML"
2. fill in the information
3. click on "Submit the form: generate PDF file"
4. Error message "pdf.cacert.eu" could not be found
Additional Information: information came by user T.R. trought the webform
System Description Default profile.
Attached Files: access.log (3,092 bytes) 2019-02-01 15:49
http://bugs.cacert.org/file_download.php?file_id=464&type=bug
error.log (503,093 bytes) 2019-02-01 15:49
http://bugs.cacert.org/file_download.php?file_id=465&type=bug
Notes
(0005742)
L10N   
2019-01-22 21:40   
This bug has some importance, as the committee likes to push OrgA (organisation assurance).
(0005743)
L10N   
2019-01-22 21:45   
I contacted the owner of cacert.eu. For some time, there was a new website, but today, the URL is redireted to cacert.org. He does not know, where pdf.cacert.eu was pointed. Maybe it was something new with Java?

(Original messages in German:
    pdf.cacert.eu -> war das nicht "dein" neuer Server?
    Wenn ich www.cacert.eu aufrufe, ist die neue Seite weg und ich werde auf
    org umgeleitet. Weisst du, ws mit pdf. passiert ist?

Nope ... Nur die Domain ist meine ...
Ich weiß aber auch nicht mehr, wo PDF.c.eu bin zeigte ... :-(
Es kann durchaus sein, dass das auf eine neue Umgebung gegangen ist, die schon mit Java (?) Lief ...
Aber ... Das generieren der CAP bzw COAP sollte auch in der alten Umgebung möglich sein ...
(0005744)
L10N   
2019-01-22 21:45   
I tested what happens, if I change the URL from pdf.cacert.eu to pdf.cacert.org It did not match neither.
(0005745)
L10N   
2019-01-22 21:48   
Next step, I had a look to the changes that happened to wiki.caccert.org/CoapHTML (at "info") and saw, that the .eu address was added in 2013 by inopiae. So I created a test content form at wiki.cacert.org/CoapHTML and then, at the error page, I replaced in the URL "pdf.cacert.eu/cacertpdf.php" with "www.cacert.org/coapnew.php" (remaining everything before and after as it was) and reloaded the page again.

Half success: it created a complete PDF form - only the fingerprint and the postal address are as in 2011 (Denistone East) and not as on the wiki page (as in 2019).

This can help for the moment.
(0005746)
L10N   
2019-01-22 21:49   
To get back the service we had before:
Where pointed pdf.cacert.eu?

If we will run the old service at www.cacert.org again:
How can we change address/fingerprint to use the form with the old address?
(0005747)
L10N   
2019-01-22 22:04   
Following the internet archive, cacert.eu ("CAcert community portal") has gone between September 14th, 2017 and March 28th, 2018.
https://web.archive.org/web/20170914222137/http://cacert.eu/
(0005750)
L10N   
2019-01-26 22:36   
I changed the wiki code from coapHTML and coapHTML_de as described in http://bugs.cacert.org/view.php?id=1456#c5745

The issue still remaining: Fingerprint and postal adress are still wrong, as the came not from the wiki, but from somwhere else. I suppose, it is to change at http://svn.cacert.org/CAcert/Forms/src/form_fies.php (but this is just a supposition and I cannot test it, as I do not have writing access to svn).
(0005751)
L10N   
2019-01-26 23:56   
A community member wrote:

> Unfortunatelly the exchange of the address parts does not work, when I
> do it. Please see the attachment.
>
> What can I do else?
> I think, if nothing else works, I can print the browser page. I will ask
> the assurer. At last it's all paper...

I tried it on Firefox, PaleMoon, Vivaldi and Chromium browsers. For me, it worked on Firefox and PaleMoon, but not on Chromium and Vivaldi browsers. There it gave the same error message as reported by the member.

-----------------------------------
Datei nicht gefunden
Die Datei https://www.cacert.org
/coapnew.php?name=Example+Company+AG&
address=Hans-Knöll-Straße+1,+07745+Jena,+Germany&
type=Partnerschaftsgesellschaft&state=eingetragen (schnipp)

konnte nicht
gefunden werden. Bitte überprüfen Sie die Adresse und versuchen Sie es
erneut.
Könnte der Eintrag umbenannt, gelöscht oder verschoben worden sein?
Enthält die Adresse einen Rechtschreib-, Groß-/Kleinschreibungs- oder anderen
Schreibfehler?
Haben Sie ausreichende Zugriffsrechte für den angeforderten Eintrag?
(0005752)
Ted   
2019-01-27 13:48   
Moved the issue to the "Main Website" project, since the major problem obviously is coap.php respectively coapnew.php on the main website.
(0005753)
Ted   
2019-01-27 13:58   
The problem seems to be coapnew.pdf.

When I access https://test.cacert.org/coapnew.php I get a "file not found" error. When trying to start the script from the shell it says :
require_once(/usr/share/tcpdf_php4/config/lang/eng.php): failed to open stream: No such file or directory in /home/cacert/git/cacert/www/coapnew.php on line 319

Probably the TCPDF library is not installed on the webserver. Wytze can you have a look at this and install the library? Or forward this case to someone who can?
(0005754)
Ted   
2019-01-27 14:02   
Note that this script is (as far as I can see) nothing that has to be run on the critical system. It just creates a nice looking PDF from the form parameters which are transferred from the wiki.

So It was very sensible to install the script on cacert.eu, since changes to non-critical systems are much easier (less formal) than changes to the critical system.

Do we currently have another non-critical system where we can install this?
(0005755)
Ted   
2019-01-27 14:40   
(Last edited: 2019-01-29 14:41)
When I try to access https://www.cacert.org/coapnew.php I get the same error as when accessing https://test.cacert.org/coapnew.php ("File not found". The HTTP error code is 500).

(0005757)
Ted   
2019-01-28 22:40   
With some help from Wytze I managed to run the script from the shell, where it creates an empty COAP form.

When accessed with the browser the following error can be found in apache's error.log:
PHP Fatal error: Allowed memory size of 18874368 bytes exhausted (tried to allocate 65484 bytes) in /usr/share/tcpdf_php4/tcpdf.php on line 2367

This sounds like a strict resource setting of php.ini. I found two php.ini files on the testserver, one at /home/cacert/etc/php5/apache2/php.ini, containing a memory_limit of 128M, and one at /home/cacert/etc/php5/cli/php.ini containing a memory_limit of -1
Playing around a bit with those settings did not change anything, so I'll leave this to people with more proficiency in system administration...

BTW, the TCPDF library seems to be still supported, see https://github.com/tecnickcom/TCPDF, maybe we should switch to a more current version? :-\
(0005758)
wytze   
2019-01-29 11:37   
(Last edited: 2019-01-30 07:53)
I cannot reproduce the error by accessing https://test.cacert.org/coapnew.php, for me that produces a reasonably looking empty COAP form.

However to tackle a PHP memory issue, you should edit /home/cacert/etc/php5/mods-available/cacert,ini, which contains a tighter setting for memory_limit (18M). I have raised to 36M, so you could give your test a new try with that. If you want to increase it even further, please do not forget to "sudo service apache2 restart" after changing the config file.

As for a newer TCPDF version: it is trivial to switch from the -php4 version to a PHP5 version. I have done just that by editing line 233 in coapnew.php:

--- coapnew.php.org 2018-11-27 23:02:24.311871811 +0000
+++ coapnew.php 2019-01-29 11:26:20.661722514 +0000
@@ -230,7 +230,7 @@
 // INSTALLATION DIRS OF PACKAGES ==============================
 // make sure packages are installed here
 define('RT','./');
-define('TCPDF_DIR','/usr/share/tcpdf_php4');
+define('TCPDF_DIR','/usr/share/tcpdf');
 define('UTF8',RT."/utf8/native/core.php");
 if( file_exists(RT.'/transtab.php') ) // wherever it is
     define('UTF8_ASCII', RT.'/transtab.php');

This makes a lot of sense I think, and at the very least reduces the number of PHP5 deprecated teature warnings.

Please also note that HTTP error 500 does not mean "File not found" as some browsers say, rather it indicates an internal server failure. An example of that is PHP running out of memory.

(0005760)
GuKKDevel   
2019-02-01 15:32   
Did someone change something in productive system?

I gave it a try and the form was displayed.

so only have to change address and SHA checksums.
(0005761)
GuKKDevel   
2019-02-01 15:37   
Tried it a second time and it gave an error.

need all logs for time 2019-02-01-T16:20 to 2019-02-01-T16:40 in productive system.
(0005763)
wytze   
2019-02-01 15:49   
Providing all log data would be a serious breach of privacy. I will append the Apache2 access log and error log filtered on your IPv4 address, and with the address replaced by "YOUR-IP-ADDRESS" for privacy.
(0005772)
Ted   
2019-02-14 21:35   
I just found out that for me https://secure.test.cacert.org/coapnew.php works while https://test.cacert.org/coapnew.php gived an HTTP error.

The main website gives the same results, the "secure" server works, the "www" server does not.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1454 [Main CAcert Website] website content major sometimes 2018-12-28 04:28 2019-02-07 22:53
Reporter: bdmc Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Revise Password Reset page to reduce repayments
Description: The messages and instructions on the Password Reset page ( page 5 ) are unclear regarding the proper procedures, especially regarding the "donation" required before requesting that Support assist.
Tags: password recovery, support
Steps To Reproduce:
Additional Information:
Attached Files: Support.odt (27,211 bytes) 2019-01-02 00:42
http://bugs.cacert.org/file_download.php?file_id=463&type=bug
Notes
(0005716)
bdmc   
2018-12-28 04:43   
Page URL: https://www.cacert.org/index.php?id=5
(0005717)
bdmc   
2018-12-30 05:46   
I have created a new version of Page 5, containing many more instructions. I have also said that asking Support for help will take a long time, although I did not specify any time estimate. The code is checked in as "bug-1454," but only consists of one file different from "release."
(0005718)
bdmc   
2018-12-30 05:49   
I have been thinking about Etienne's suggestion for some kind of instruction document to be sent to users.

That might be triggered by the Paypal Payment "success return" message, because that is the only thing that happens before the user is expected to write an e-mail message to Support.

Alternatively, some kind of automatic reply to e-mail messages to Support, with the Subject "Password Recovery Request," might be a way to do it.
(0005719)
L10N   
2018-12-30 09:35   
The message that the user sends with the web form probably goes to support@c.o. At the same time a copy should be sent to a new address password-reset@c.o. (or only to password-reset@c.o.).

This address replies automatically (with 'support' as the sender) with a nice reply, which explains the procedure step by step. And in such a way that the next steps are delegated to the user.

This would have the advantage that the user could help himself in some cases (relieves support). In other cases other people could help (e.g. local assurers). Third, we would have a clear situation with Paypal: Support answered immediately. We are now waiting for further information from the user. Paid service (as Paypal will always consider it) has been provided.
(0005720)
L10N   
2018-12-30 10:01   
Content (keyword) for an automatic reply:

Thanks for contacting us
Empathy for existing problem
Promise to help
Please document everything

Step 1: with certificate (tried on ...)
Step 2: Five questions (tried on ...)
Step 3: With Assurance
3a: If no Assurer nearby known: secretary.c.o requested for addresses from the public part of the WoT directory (requested on..., reply received on...)
3b: Assurer 1 contacted on... (if no replay within 3 days, Assurer 2, 3, 4, 5 contacted)
3c: Assurer met on....
3d: C-word received from Support on....
3e: Answered to Support answered (password reset allowed) on....
3f: T-word from support received on: ....
3g: Congratulations, now you can reset the password yourself. To do this, log into your account. As a provisional password, use (with no space in between): A-word T-word
Step 4: It didn't work. Write to support, include documentation of the first 3 steps with data and assurers.
(0005721)
L10N   
2019-01-02 00:42   
What about this? (Draft, in German)
If possible, send only part 1-2 and part 3 24hrs later.
(0005734)
L10N   
2019-01-13 23:03   
What about a new e-mail-address for password recovery that answers automated (see above); only the second contact goes to support?
(0005735)
bdmc   
2019-01-14 07:11   
I should have responded to this a few days ago, when you first proposed it.

Yes, I like the idea of a special e-mail address for password recovery, and, as you say, perhaps don't send directly to the Support mailing list.

We could never send mail for password recovery to the Support mailing list, or only after the user has accomplished all other tasks. Mail to the password recovery address could be forwarded to Support, or the user would be directed to the Support mailing list only at the end of the process.
(0005736)
L10N   
2019-01-14 13:57   
Until now: User forgot password
-> read wiki, help himself OR most: -> @ to support@c.o. (not support@lists.c.o.)

It could be this way: User forgot password
-> read wiki, help himself OR most: -> @ to new-password-recovery-address@c.o. -> automated answer with help, step 1&2, -> after 24 hours automated answer2 with help, step 3&4, -> after 24 hours automated3 answer with help, step 5&6 (while 6 means contact support and giving the address from support)

If this is to complicated (automated following mails):

It could be this way: User forgot password
-> read wiki, help himself OR most: -> @ to new-password-recovery-address@c.o. -> automated answer with help, step 1-6 (while 6 means contact support and giving the address from support)

The phasing makes sense, as the requestor should do several things before contacting support. On the other hand, you can only send one reply with everything, because there are certainly people who have read the wiki before...

Even if the draft is in German, it's worth looking at it, possibly with an automatic translator, to see how it's planned.
(0005764)
L10N   
2019-02-07 22:53   
I just asked the e-Mail-member of the Infrastructure Team, if an auto responder can be implemented with the available resources. Original Message in German.



-------- Original Message --------
Subject: Auto responder
Date: Thu, 07 Feb 2019 22:44:19 +0000

(...)

Im Moment kläre ich verschiedene Möglichkeiten ab, um den Support bei
verlorenen Passwörtern zu entlasten. Kannst du mir bitte deine ehrliche
EInschätzung zu den folgenden Punkten abgeben, denn nicht alles, was
technisch möglich ist, ist bei uns oder mit den verfügbaren Resourcen
umsetzbar.

- Ist es möglich, eine neue e-Mail-Adresse aufzusetzen, welche automatisch
mit einem vorgegebenen Text/Mail antwortet? (Das eingehende Mail kann
unbesehen vom Inhalt gelöscht werden, es sollte aber nachvollziehbar sein,
wann es eintraf, von welcher Adresse und dass die automatische Antwort
hinaus ging.)

- Ist es möglich, eine neue e-Mail-Adresse aufzusetzen, welche *mehrmals*
automatisch mit einem vorgegebenen Text/Mail antwortet? Also wie oben
einmal sofort und zu vorgegeben Zeitunkten (z.B. 24h später, 36h später)
noch Mail 2 und Mail 3 losschickt?

Was technisch im Hintergrund abläuft, resp. ob das über Mail oder eine
Liste läuft, spielt keine Rolle... ich möchte nur gerne wissen, ob so
etwas mit vertretbarem Aufwand bei uns machbar/möglich ist.

Danke für eine kurze Antwort und
freundliche Grüsse
(...)


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1398 [CATS.cacert.org] Translation: User Interface minor N/A 2015-08-21 21:24 2019-01-21 22:18
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: User Interface Translation to Czech
Description: Initial language file provided by Aleš
Tags: CATS
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005453)
Ted   
2015-08-21 21:53   
The czech translation uses non ISO-8859-1 characters.

This could be the occasion to move CATS from ISO-8859-1 to UTF-8 encoding, and I'll consider that job as part of this bug.
(0005737)
Ted   
2019-01-14 22:21   
For now, the "dangerous" characters of the translation have been replaced by HTML encodings.

The bug branch has been merged into the testserver branch, which is now installed on the testserver, so it is now possible to select czech language for the user interface!

Please test the translation, though I'm still evaluating if it is possible to move to UTF-8 encoding completely.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1402 [CATS.cacert.org] Translation: Content text always 2015-09-21 18:14 2019-01-13 14:54
Reporter: alkas Platform: PC  
Assigned To: OS: Windows  
Priority: normal OS Version: 8  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: A comment on deployed Czech translation of the "Assurer's Challenge" test
Description: The following is a part of the Test and Results web (generated) pages - head:
meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
The code should not be iso-8859-1, for this text containing non-ISO-8859-1 characters this should be Windows CP-1250, as the text is so coded. Or, possibly later, Unicode UTF-8 should be used. There is possibility in a browser to change coding, but it is of no use for common end users.
Tags: CATS, diacritic, Translation
Steps To Reproduce: Select test "Výzva zaručovatele (CZ)" and try to answer the questionnaire. It works OK except minor misscoding of some questions. The browser used was IE10 on Windows 8.0.
Additional Information: If you realize to change coding after you have answered some questions, all your answers will be cleared after the change.
Also the answers "true", "false" are English, not Czech. Possibly it will change after the Czech user interface will be deployed.
System Description Test version of the CAcert website
Attached Files: Výzva_zaručovatele_.txt (47,366 bytes) 2015-10-01 14:13
http://bugs.cacert.org/file_download.php?file_id=409&type=bug
Notes
(0005463)
alkas   
2015-10-01 14:17   
Added file with the test in Czech. The file contains no information about correct answers.
(0005733)
Ted   
2019-01-13 14:53   
(Last edited: 2019-01-13 14:54)
The charset in Content-Type is used by the browser only to decide which characters may be sent unencoded.

The test still supports the whole UTF charset, but non-iso-8859-1 characters are transmitted as HTML entities (for example something like & # 367;), which is perfectly OK for the browser (and the database).

So, yes, I would prefer to have the pages being announced as using utf-8 charset, but IMHO this would only change the data management in the backend, and have no effect on the user.



View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
973 [CATS.cacert.org] Translation: Content minor N/A 2011-08-22 21:19 2019-01-03 21:20
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Translation of Assurer Challenge to French
Description: This is to keep track of the current status of the translation.
Tags: CATS, Translation
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0002319)
Ted   
2011-08-22 22:11   
Current status:

About 20% completed
(0003259)
Lordguy   
2012-10-17 20:54   
(Last edited: 2012-10-17 21:53)
traduction à 100% du test Org assurer

(0004450)
L10N   
2013-11-09 23:25   
Qu'est-ce qui manque encore pour terminer?
Was fehlt noch, bis es fertig ist?
What is still missing to finish?
(0005193)
L10N   
2014-12-18 21:36   
Qu'est-ce qui manque encore pour terminer?
Was fehlt noch, bis es fertig ist?
What is still missing to finish?
(0005551)
L10N   
2017-06-30 20:25   
Qu'est-ce qui manque encore pour terminer?
Was fehlt noch, bis es fertig ist?
What is still missing to finish?
(0005578)
bergerc   
2018-03-18 21:49   
I modified some translations (french). What are the next tasks ?
(0005582)
jandd   
2018-04-06 09:26   
https://translations.cacert.org/fr/cats/ seems to be complete now
(0005610)
Ted   
2018-09-04 07:36   
I don't know if we are talking about the same thing here.

This is the case to translate the test questions, not the user interface. The test questions are not (and will probably never be) on https://translations.cacert.org!

At the moment translating and reviewing the test questions is a bit complicated, see https://wiki.cacert.org/Brain/Study/EducationTraining/CATSTranslation...

I'll try to create HTML files for a review of the french test questions in the next few days and publish a link here.
(0005613)
Ted   
2018-10-21 18:50   
The current state of the french translation of the Assurer Challenge can now be found at https://cats.test.cacert.org:14843/fr.html

This is the CATS test system, be prepared that your browser will probably complain about an invalid certificate.
(0005724)
L10N   
2019-01-02 20:24   
Hi Ted,
all 96 questions/answers are now translated, that means 100% of the Assurer Challenge.
Review is needed.
(0005725)
L10N   
2019-01-02 20:27   
In 2012, Lordguy wrote (https://bugs.cacert.org/view.php?id=973#c3259), that the OrgA Test is 100% translated. Is OrgA Test in production or is a review needed?
(0005730)
Ted   
2019-01-03 21:20   
An updated version of the french review sheet is available at https://cats.test.cacert.org:14843/fr.html (for the time of the review). The first thing i noticed was that question [3] and the answers to [4] are still english? >:-)

OrgA Test is not installed on the production CATS, so I'd take this as a hint that it is currently not in use.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1453 [Main CAcert Website] website content feature N/A 2018-12-09 23:24 2018-12-09 23:24
Reporter: L10N Platform:  
Assigned To: OS:  
Priority: high OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions: (number) paypal button(s) are shown on https://www.cacert.org/account.php?id=6&cert=xyz and in working order.
Summary: Donation button on certificate issuing page
Description: "Comment from Philipp; Add donation button to page where people successfully get their certificate."
source: https://bugs.cacert.org/view.php?id=1305 (>2009)

This page would be https://www.cacert.org/account.php?id=6&cart=xyz (cert number)
accisble trough https://www.cacert.org/account.php?id=5 and then clicking of the e-mail-address of any issued certificate
Tags: certificates, finances, future, html, new feature
Steps To Reproduce:
Additional Information: A possibilty (with german text an more than one paypal button is given in the pictures.
Attached Files: as-it-is.png (211,424 bytes) 2018-12-09 23:24
http://bugs.cacert.org/file_download.php?file_id=455&type=bug
as-it-should.png (181,562 bytes) 2018-12-09 23:24
http://bugs.cacert.org/file_download.php?file_id=456&type=bug
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1452 [Main CAcert Website] translations minor always 2018-12-06 12:17 2018-12-06 12:17
Reporter: GuKKDevel Platform: Test CAcert Website  
Assigned To: OS: N/A  
Priority: normal OS Version: Test  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: changing the default language doesn't change the language for CAP-forms
Description: beeing logged in and changing the default language doesn't change the language for CAP-forms automatically
Tags: Translation
Steps To Reproduce: 1. log in
2. create CAP-form -> is in your default language
3. change default language
4 create CAP-form -> still the old language

Additional Information:
System Description Test version of the CAcert website
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1031 [Main CAcert Website] Audit issues major always 2012-04-09 03:12 2018-11-18 13:46
Reporter: clopez Platform: Default  
Assigned To: Patrick OS: any  
Priority: high OS Version: any  
Status: fix available Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Disable use of insecure function mysql_escape_string()
Description: mysql_escape_string() is insecure

 * http://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l

And its used on core parts like password user logging:

$ grep -rl mysql_escape_string .
./includes/lib/general.php
./www/wot.php
./www/disputes.php
./www/verify.php
./www/alert_hash_collision.php
./www/index.php
./www/api/cemails.php
./www/api/edu.php
./pages/wot/12.php
./pages/wot/13.php
./pages/account/43.php
./pages/account/53.php
./pages/account/41.php
./pages/account/54.php
./pages/account/49.php
./tverify/index.php


Theoretically this can be exploited to perform a SQL Injection attack.


Please replace all mysql_escape_string() occurrences with the secure mysql_real_escape_string(

You can do this simply executing this command on the topdir:

grep -rl mysql_escape_string . | xargs sed -i "s/mysql_escape_string/mysql_real_escape_string/g"
Tags:
Steps To Reproduce:
Additional Information:
System Description Default profile.
Attached Files:
Notes
(0005336)
Patrick   
2015-02-27 22:06   
I quickly wrote the fix.

https://github.com/DjBusti/cacert-devel/commit/c7ec6a2aa2edc6d59578d5adc685de01d4497461
(0005684)
Ted   
2018-11-18 13:46   
Note that 0001442 also replaces mysql_real_escape_string, by mysqli_real_escape_string.

So, once bug-1442 is installed this issue is obsolete.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1194 [Main CAcert Website] misc minor have not tried 2013-07-23 22:20 2018-11-16 10:37
Reporter: NEOatNHNG Platform:  
Assigned To: NEOatNHNG OS: Windows  
Priority: normal OS Version: 8  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Root certificate installer MSI package fails on Windows 8
Description: There are some problems when using the installer package on Windows 8
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004204)
NEOatNHNG   
2013-07-31 12:49   
This seems to be a problem with the WiX toolkit used. One upstream bug report can be found on http://sourceforge.net/p/wix/bugs/1369/ but that should have been fixed since WiX 3.5 and I have used 3.7 to build the package. Seems I have to dig a little further.
(0004483)
NEOatNHNG   
2013-12-11 00:53   
http://wixtoolset.org/issues/4212/


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
156 [Main CAcert Website] source code tweak always 2006-03-05 21:42 2018-11-11 18:37
Reporter: bluec Platform:  
Assigned To: bluec OS:  
Priority: low OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: magic_quotes_gpc vs. mysql_escape_string()
Description: I see many cases where mysql_escape_string() is applied to $_REQUEST, $_POST or $_GET. As magic_quotes already escaped these strings this may lead to corruption of the userinput.

e.g. in api/ccsr.php

        $username = mysql_escape_string($_REQUEST['username']);
        $password = mysql_escape_string($_REQUEST['password']);

I recommend using something like quote_smart() from php.net

  function quote_smart($value)
  {
     // stripslashes, if necessary
     if (get_magic_quotes_gpc()) {
         $value = stripslashes($value);
     }

     // quote, if not numeric
     if (!is_numeric($value)) {
         $value = "'" . mysql_real_escape_string($value) . "'";
     }

     return $value;
  }


Additionally since PHP 4.3.0 it's recommended to use mysql_real_escape_string().
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0000523)
duane   
2006-08-16 13:36   
We need patches and/or source locations, this bug isn't a simple one and feeds back into the requirement to turn off globals...
(0001010)
dionyziz   
2008-02-18 13:42   
I can confirm this bug exists for the "Contact Information" field of the "My Listing" section.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1448 [Main CAcert Website] source code minor have not tried 2018-11-09 22:06 2018-11-11 18:37
Reporter: Ted Platform:  
Assigned To: pmoulding@cacert.org OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Convert to new error class
Description: Reported by pmoulding:

PHP now has an error class and conflicted with the error class already used in openbiblio

As far as the 'error class,' it means isolating all of the error-handling code into a single area, and make calls to that code for both error handling and error reporting.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1446 [Main CAcert Website] General minor have not tried 2018-11-04 04:51 2018-11-11 18:36
Reporter: pmoulding@cacert.org Platform: Test CAcert Website  
Assigned To: pmoulding@cacert.org OS: N/A  
Priority: normal OS Version: Test  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Add an autoloader as a step toward moving common code into classes
Description: Common code should be in classes. Classes can be delivered from a single class directory. An autoloader can make the class loading automatic. The autoloader can replace the multiple occurrences of require/require_once.

The autoloader class could also replace the prepend defined in the Apache config file, removing a roadblock for people who cannot access their Apache settings.
Tags:
Steps To Reproduce:
Additional Information: Create a directory outside the Web root named class or the same directory inside the Web root with a Web server config line to limit access to the class directory.
Create a class named cacert in a class file named cacert.php in the class directory.
Add common code to every page to start with the loading of the cacert class.
In the constructor of cacert, register an autoloader function named autoloader.
Create the autoloader function to load classes from the class directory if they exist.

The class could also set directory paths and other similar values, such as the domain name, for use on every page.
System Description Test version of the CAcert website
Attached Files: cacert.php (36 bytes) 2018-11-04 07:01
http://bugs.cacert.org/file_download.php?file_id=441&type=bug
index.php (26,831 bytes) 2018-11-04 07:01
http://bugs.cacert.org/file_download.php?file_id=442&type=bug
cacert.ini (221 bytes) 2018-11-04 07:03
http://bugs.cacert.org/file_download.php?file_id=443&type=bug
cacert-2.php (359 bytes) 2018-11-04 07:03
http://bugs.cacert.org/file_download.php?file_id=444&type=bug
cacert-3.php (2,264 bytes) 2018-11-04 07:03
http://bugs.cacert.org/file_download.php?file_id=445&type=bug
Notes
(0005647)
pmoulding@cacert.org   
2018-11-04 07:01   
I modified index.php in my test to include a cacert.php.
(0005648)
pmoulding@cacert.org   
2018-11-04 07:03   
The included cacert.php brings in a common cacert.php file from outside the Web root. There is a .ini file at the same level.
(0005649)
pmoulding@cacert.org   
2018-11-04 07:03   
The cacert.php file includes class/cacert.php
(0005650)
pmoulding@cacert.org   
2018-11-04 07:07   
This structure was copied from other projects. You might like to work on the names, locations, and what is included from the .ini. I started a separate issue for the .ini and included the .ini here only as a simple way to load the .ini. The contents of the .ini would be better discussed in the other issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1253 [Main CAcert Website] website content minor have not tried 2014-03-02 11:22 2018-11-05 10:36
Reporter: INOPIAE Platform:  
Assigned To: egal OS:  
Priority: normal OS Version:  
Status: needs review Product Version: 2014 Q1  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q2  
Reviewed by: Ted
Test Instructions: Cause error messages and see if the HTML is using CSS classes instead of style attributes
Summary: Remove deprecated <font> formatting
Description: The font tag is deprecated. Use span or div instead and possibly create a proper CSS class for it (or reuse an existing one).
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004615)
MartinGummi   
2014-03-04 21:24   
FIX https://github.com/magujs/cacert-devel/tree/bug-1253
(0005280)
INOPIAE   
2015-01-27 21:03   
I tried to long in with a wrong passphrase.
In the html code there was no font tag around the error message.
0> OK
(0005281)
Eva   
2015-01-27 21:16   
It would be nice to know where there can be errors to be able to test them.
(0005306)
Eva   
2015-02-03 21:26   
Benny collected the following error messages (copy from pad):
- account_stuff: Allgemeine Account-Fehler-Meldungen
- general_stuff: Allgemeine Fehler-Meldungen
- includes/shutdown.php
- (tverify-Fehler)
- account/14: Pass Phrase der *
- (account/40: Mailinglist Note)
- index/0: disabled functions ...
- index/1: Pass Phrase der *
- (index/11: Mailinglist Note)
- index/6: Pass Phrase der *
- wot/1: CATS/Assurer
- wot/5: Allgemeine Fehlerausgabe
- wot/8: Allgemeine Fehlerausgabe
- wot/9: Allgemeine Fehlerausgabe
- www/gpg: GPG-Key-Fehler
- www/wot: Allgemeine Warnungsausgabe
(0005331)
Eva   
2015-02-24 22:06   
(Last edited: 2015-03-03 22:07)
Could test without issues:
account/14 -> ok
index/1 - multiple situations -> ok
index/6 - multiple situations -> ok
wot/5: Allgemeine Fehlerausgabe - multiple situations -> ok
www/wot: Allgemeine Warnungsausgabe -> ok [however the error as such is wrong]
gpg: GPG-Key-Fehler -> ok

not testable without access to testserver:
includes/shutdown.php
index/0: disabled functions ...

not testable at all, as it was removed:
(tverify-Fehler)
(account/40: Mailinglist Note)
(index/11: Mailinglist Note)

account_stuff: Allgemeine Account-Fehler-Meldungen
- unsure what this should be, some account errors produced at index/1 -> ok?

general_stuff: Allgemeine Fehler-Meldungen
- unsure what this should be
file not founds -> ok


Could not produce the errors on the following pages - according to Felix they are deleted before they are shown
wot/8: Allgemeine Fehlerausgabe
wot/9: Allgemeine Fehlerausgabe

Even as there should be a situation where the following page displayed an "error" in the tables for user who have no CATs but 100 points, those users were just not shown, so could not test this error:
wot/1: CATS/Assurer
edit: could see this later -> ok


General note:
It would be good if errors were displayed always in the same manner.

=> those that I could produce were OK - could not do complete test

(0005351)
BenBE   
2015-03-03 21:26   
added:
- includes/account.php
- includes/keygen.php
- pages/advertising/1.php
(0005352)
INOPIAE   
2015-03-03 21:27   
(Last edited: 2015-03-03 21:37)
tested:
all wot/pages all displayed error showed an error class => ok
index/1 and 6 all displayed error showed an error class => ok

account/14 all displayed error showed an error class => ok

advertising/1 displayed error showed an error class => ok
 => ok

(0005353)
Eva   
2015-03-03 21:54   
(Last edited: 2015-03-03 22:03)
- includes/account.php is
account/14 -> is improved compared to last test
-> ok

- includes/keygen.php
-> needs IE without activeX - I do not have access to this browser at the moment, so no test from me for this
-> not tested

- pages/advertising/1.php is
advertising.php?id=1 - I do not see anything there
-> ok
(Hint: you need to have Add Admin rights = 1 - relog after you set this flag)


=> OK, as far as I could test it (did not retest other things)

(0005354)
BenBE   
2015-03-03 22:12   
As the bugtracker currently doesn't show the patches you can find them alternatively https://github.com/CAcertOrg/cacert-devel/compare/release...bug-1253
(0005611)
Ted   
2018-10-20 21:56   
(Last edited: 2018-10-20 21:56)
I removed a trailing semicolon in one style attribute.
The specification at https://www.w3.org/TR/css-style-attr/#Syntax%20and%20Parsing does not allow trailing semicolons in style attributes, though AFAIK it is tolerated by most browsers.

Since this is in fact a fallback to the previous version (and an extremly minor change) I don't think that this has to go through testing once more.

All other changes are acceptable. One might argue the class names, since "error_indicator" is used to indicate (IMHO) warnings in some places, but insisting on a change here would be nitpicking. I'll leave this to a followup bug report if someone also feels this way.

The review is PASSED.

(0005612)
Ted   
2018-10-20 22:18   
Hmm, this issue has already been reviewed by BenBE in 2015, and AFAIK he was a Sofrware Assessor then. So this issue might be considered as reviewed by two SAs, but there have been code changes (beyond my little one) after BenBEs first review...
(0005654)
Ted   
2018-11-05 10:36   
Dirk, can you just give a second review? It's a quite easy job, and could help to warm up for the other jobs to follow...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1439 [Main CAcert Website] misc major always 2018-05-13 19:14 2018-11-01 21:12
Reporter: Ted Platform:  
Assigned To: egal OS:  
Priority: normal OS Version:  
Status: fix available Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Changes needed for cats_import.php for new PHP version
Description: As noticed by Wytze, the old version of cats_import.php seems not to work with the updated OS (Debian
Jessie). Obviously the format of the server variable SSL_CLIENT_S_DN has changed, so matching the Upload DN does not work anymore.

Wytze has installed a hotfix to get the CATS result upload working again, but there is also another issue here when checking for the DN, the check should make sure that the complete emailAddress field is checked, the current check could probably be fooled by a certificate issued for cats@cacert.org.evildomain.com. I guess that was the intention of the reviewer's comment, but it looks like I did not get it then... :-(
Tags:
Steps To Reproduce:
Additional Information: Complete mail from Wytze:

Hi Ted,

Since we have upgraded the CAcert chroot application environment to Debian
Jessie on the webdb production server, it appears that import from CATS
does not work anymore. I noticed these messages in the errorlog:

[Sun Apr 29 06:35:01.458559 2018] [:error] [pid 17899] [client
213.154.225.243:59570] PHP Fatal error: Unauthorized access:
ip(213.154.225.243) server(secure.cacert.org) https(on)
cert(emailAddress=cats@cacert.org,CN=CAcert WoT User) in
/www/www/cats/cats_import.php on line 60

Looking at the code, it seems that the match for the email address in
the presented certificate is failing. Somehow with the new PHP version
the / is no longer appearing in front of emailAddress=cats@cacert.org.

I have made the following tentative fix:

wytze@webdb:/home/cacert/www/www/cats$ cvs diff -u cats_import.php
Index: cats_import.php
===================================================================
RCS file: /var/lib/cvs/cacert/www/cats/cats_import.php,v
retrieving revision 1.7
diff -u -r1.7 cats_import.php
--- cats_import.php 10 Jun 2012 09:10:54 -0000 1.7
+++ cats_import.php 5 May 2018 08:11:52 -0000
@@ -48,7 +48,7 @@
  $https == 'on' &&
  // Comment (to be romeved): better to use preg_match matching the end of the
line (since this is on the end of the line right?)
  // Ted: Is this specified? I don't think so, therefore I'd keep stristr
- strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
+ strlen(stristr($ssl_client_s_dn, 'emailAddress=cats@cacert.org')) > 0
 ) $access = TRUE;

 if ($access !== TRUE) {
wytze@webdb:/home/cacert/www/www/cats$

and this restored operation of the CATS upload operation.

Can you provide us with an official checkin request for this change,
so it gets recorded in the CVS tree?

Regards,
-- wytze
Attached Files:
Notes
(0005589)
Ted   
2018-05-14 20:32   
Checked in branch bug-1439 to Github. Maybe it has to be merged into the repository of git.cacert.org...
(0005636)
Ted   
2018-11-01 21:10   
Dirk, since I wrote the patch I really cannot review it myself. Can you give a try? And maybe we can try the "two developer reviews replave one Assessor review" variant?
(0005637)
Ted   
2018-11-01 21:12   
The issue also has to be tested. To test on the testerver I'll have to get the test-CATS-upload running again...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1379 [Main CAcert Website] tweak always 2015-04-10 17:07 2018-11-01 21:00
Reporter: rubo77 Platform: Main CAcert Website  
Assigned To: BenBE OS: N/A  
Priority: normal OS Version: stable  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: BenBE
Test Instructions: see below https://bugs.cacert.org/view.php?id=1379#c5410
Summary: add hint how to install certificate in your email client
Description: For many users it is not obious how to install a generated cert in Thunderbird, because there is no link to get a p12 file
Tags:
Steps To Reproduce: click on the link to see your certificate for a certain email:

https://secure.cacert.org/account.php?id=6&cert=[your id here]
Additional Information: There are only three links:

    Installieren des Zertifikats in Ihrem Browser
    Download des Zertifikats im PEM-Format
    Download des Zertifikats im DER-Format

but no explanation how to retrieve the needed p12 file for Thunderbird.

Please add one line after

    Install the certificate into your browser


like

    (and export it for your e-mail client afterwards)


I edited the page in github here:

https://github.com/CAcertOrg/cacert-devel/compare/release...rubo77:patch-1
System Description Production version of the CAcert website
Attached Files:
Notes
(0005375)
rubo77   
2015-04-10 17:08   
Pull Request:

https://github.com/CAcertOrg/cacert-devel/pull/2
(0005379)
Eva   
2015-04-28 19:30   
As there are collections about how to work with certificats in the Wiki for different browsers and with different approaches, I think it would make a lot more sense to place a link to the wiki instead then to describe it in the software.

Additionally this would be more or less a handbook for OTHER software projects. If those other projects change how they handle certificates we would have to change our software just to maintain a handbook for them, not because the software itselfe would have to be adapted.
(0005408)
INOPIAE   
2015-06-17 19:46   
(Last edited: 2015-06-17 19:47)
After the discussion in the software telco about the text I created a fix and push it to https://github.com/INOPIAE/CAcert/commit/5dc9fb148fb2f996bee22e45513a2953f66a2dce

(0005410)
INOPIAE   
2015-06-23 19:41   
(Last edited: 2015-06-23 20:11)
Test instructions:
1. If you are not logged in the menue should show a menue entry funding with a link to the current funding projects.
2. After the creation of a client certificate the final page should show text about how to find information to install your certificate with a link to the wiki.
3. On the same page there should be a link to the funding page
4. The donations page should show an entry for funding with a link to the funding page.

(0005412)
BenBE   
2015-06-23 20:13   
(Last edited: 2015-06-23 20:48)
Changes can be reviewed at:
https://github.com/CAcertOrg/cacert-devel/compare/bug-1379

Or in the CAcert local repository viewer:
https://git.cacert.org/gitweb/?p=cacert-devel.git;a=commitdiff;h=be0e5e013cc61d9d17dd59b72e8287aa37eb8190
https://git.cacert.org/gitweb/?p=cacert-devel.git;a=commitdiff;h=059e68aa69c443a5eb574b3bbac2be9dc95038e9
https://git.cacert.org/gitweb/?p=cacert-devel.git;a=commitdiff;h=3db97e4e1734de5e04b52ad5158e5aed0915ac4e

(0005413)
Eva   
2015-06-23 20:28   
When I was not logged in, the menue contained a link to a funding page. When I clicked the link, I got the funding page opened in a new window.
-> ok
I logged into an account and created a new client certificate.
When the process was finished, I got a page that contained a link to installing information for the certificate in the wiki and a another link about some funding (both contained/"hidden" in the text - I did not find it on first glance)

When I tried the Wiki-Link, the according wiki page was opend in the SAME window.
There was no direct possiblity to get back to the final-certificate-creation-page, using the "back"-option of the browser got me back to the start of the certificate creation process
-> not optimal

I completed another certificate completion process.
When I tried the Funding-Link the funding page was opened in the SAME window.
There was no direct possiblity to get back to the final-certificate-creation-page, using the "back"-option of the browser got me back to the start of the certificate creation process
-> not optimal


It would be a lot better to have both links opened in a new page as it is when one is not logged in. This is especially true as one would miss the other information about the certificate and the other link.

This is not tragic as one can find the same information and page by going going to "view certificate" and clicking at the specific certificate that one had just created. However this may be disturbing and unintuitive for new users.

-> ok but not optimal
(0005414)
BenBE   
2015-06-23 20:46   
The change request for opening the links in a new window has been applied to the bug branch and ported to the testserver.
(0005415)
Eva   
2015-06-23 20:49   
I created a new certificate and saw again the text with the two links.

Both links opened a new window with the according content (see last test done by me).
-> ok

When not logged in there is no change to above test.
-> ok

=> OK
(0005419)
rubo77   
2015-07-13 22:45   
Te link to the Wiki is correct. But on that wiki page there is missing a hint, that you have to import the certificate into your email client after you exported it to your local drive
(0005635)
Ted   
2018-11-01 21:00   
I just rebased the bug-1379 to the current release branch. So, we could continue work on this issue...


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1076 [CATS.cacert.org] User Interface tweak always 2012-06-25 20:52 2018-09-03 20:20
Reporter: Lemming Platform:  
Assigned To: OS:  
Priority: low OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Show incorrect answers of others
Description: If I change the value of parameter 'lp_id' in an url like this https://cats.cacert.org//index.php?site=progress&action=showIncorrectAnswers&lp_id=00000&t_id=2, I can see the questions which was incorrectly answered by others.

Tags:
Steps To Reproduce: *Login to CATS
*Click 'Progress'
*Select a challenge you've already done
*Click on the blue question mark
*Change value of 'lp_id' in your address bar into >= 4
Additional Information:
Attached Files:
Notes
(0005609)
Ted   
2018-09-03 20:20   
Aehm... yes.

Not really nice (because not anticipated), but is this a problem?


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1437 [IRC] cacert-votebot feature always 2018-04-06 17:21 2018-04-06 17:21
Reporter: jandd Platform:  
Assigned To: jandd OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: votebot should identify to nickserv
Description: It would be useful to allow to identify votebot to nickserv to allow automatic permissions by chanserv and claim the votebot nickname
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1436 [IRC] cacert-votebot feature always 2018-04-06 09:38 2018-04-06 09:38
Reporter: jandd Platform: irc  
Assigned To: jandd OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: votebot should provide commands to change the vote and meeting channels
Description: It would be a good idea to allow switching the votebot to a different meeting or vote channel via an IRC command. Currently a configuration change by an admin on ircserver is necessary.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1435 [IRC] cacert-votebot feature always 2018-04-06 09:36 2018-04-06 09:36
Reporter: jandd Platform: irc  
Assigned To: jandd OS:  
Priority: low OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: votebot should (optionally) restrict starting votes to a subset of users
Description: It would be good if votebot would only accept vote (and maybe other commands in the future) from specific users only. It could either have an own ACL or use some set of channel permissions from the vote channel (i.e. voice or op) to base its permissions on.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1433 [Main CAcert Website] website content minor always 2018-04-04 09:43 2018-04-04 09:43
Reporter: thiloh Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: normal OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Login with certificate not possible
Description: The login with certificate is not possible because the server secure.cacert.org doesn't provide a valid certificate.
All certificates are imported into (various) browser (root, level3 and personal).

Similar behavior on Firefox, Chrome and Safari on Mac
Tags: login error
Steps To Reproduce:
Additional Information:
System Description Production version of the CAcert website
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1421 [Main CAcert Website] website content major have not tried 2017-02-15 07:40 2018-02-10 10:11
Reporter: oitconz Platform: Linux  
Assigned To: OS: Linux  
Priority: normal OS Version: Mint Latest  
Status: new Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Certificate error logging in
Description: The main site comes up with a cert error - using an older outdated version of https to connect to the site.
Tags: login error
Steps To Reproduce: go to main site using firefox.
Additional Information:
System Description Production version of the CAcert website
Attached Files:
Notes
(0005573)
L10N   
2018-01-08 22:32   
Have the root certificates installed in your browser?

You may find the root certificates here: https://www.cacert.org/?id=3
Further readings are here: https://wiki.cacert.org/FAQ/BrowserClients


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1202 [Main CAcert Website] certificate issuing major N/A 2013-08-16 16:03 2018-02-10 10:09
Reporter: equinox Platform: all  
Assigned To: OS: all  
Priority: normal OS Version: all  
Status: confirmed Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Support for Elliptic Curve Certificates
Description: As some experts are talking about the possibility that RSA and classic DH may be unsure to use in 4 to 5 years [1][2], it might be nice to have support for ECDSA certificates. I tried to sign a CSR using ECDSA some days ago but the system never returned a certificate... i assume it got ignored because ECC is not support by now.

[1] .. http://fr.arxiv.org/abs/1306.4244
[2] .. http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/
Tags: future, new feature
Steps To Reproduce:
Additional Information: same as 0001238;
have same experience using elliptic keys that are fine for Mozilla and others.
My signing request, on basis of key alg. secp384r1, still worked 6 months ago. But now asking for renewal the check_weak_key.php says that the key algorithm is not recognized and so signing done because of security. This is the default after only some RSA tests.
Now have to redo all security of the webserver because cacert doesn't know DH and elliptic keys anymore.
Requests were generated with latest openssl. Please restore this functionality!
Attached Files:
Notes
(0004246)
ott   
2013-08-24 12:01   
I can confirm this. I remember from a short conversation with BenBE about this that OpenSSL just has to be upgraded. A quick look at cacert-devel a82f507306a9eba8a9f5dff82d2091dbd29edf71 confirms this.
(0005031)
ckujau   
2014-09-25 22:35   
Hm, I don't understand - https://github.com/CAcertOrg/cacert-devel/commit/a82f507306a9eba8a9f5dff82d2091dbd29edf71 updates some text files...?

Also, when I try to get a EC CSR signed, it's not "not returning a certificate", but it's printing out an error here, without much detail though:

1) openssl ecparam -name prime256v1 -out foo_ecparam.pem
2) openssl req -newkey ec:foo_ecparam.pem -sha512 -out foo_ec.csr \
          -keyout foo_ec.key -nodes \
          -subj "/C=AB/ST=Foo/L=Bar/O=Baz/OU=foo.net/CN=foo.net/emailAddress=admin@foo.net"
3) Go to https://www.cacert.org/account.php?id=10 and paste foo_ec.csr gives:

   The keys you supplied use an unrecognized algorithm.
   For security reasons these keys can not be signed by CAcert.
(0005464)
klondike   
2015-10-08 21:10   
This still seems to be an issue. Are there any plans for this?
(0005493)
My1   
2016-01-19 00:04   
I cant do it as well. trying with p521 key for tinfoil hat reasons (replacing a 16k rsa key)
(0005494)
BenBE   
2016-02-02 20:20   
There are plans for support for this.

The comment in https://github.com/CAcertOrg/cacert-devel/blob/release/includes/lib/check_weak_key.php#L205 is related to DSA.

For ECDSA (ECC) to work, the appropriate checks need to be implemented to verify the provided ECDSA key is sane. These checks are currently still completely missing. Providing a patch for these will help greatly.
(0005544)
travm1   
2017-04-07 22:10   
Interesting read about ECC
https://www.everipedia.com/Elliptic_curve_cryptography/
(0005558)
thalamus   
2017-10-16 12:48   
awesome, thanks travm1

http://www.thalamus.co


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1429 [Main CAcert Website] translations text have not tried 2017-11-29 17:18 2017-12-19 14:03
Reporter: marian Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: german translation of verify page is not understandable
Description: the German translation of the verify.php?type=domain ... page is completely wrong.

it reads "bitte überprüfen Sie diese Domain". If I hadn't done this before and could guess that "verify" is meant I hadn't understood it.

please change it to "bestätigen" (also on the confirmation page that follows), which is the correct translation in this case.

(and please introduce a translation process that includes testing the ui with the generated strings, then this would have been noticed)
Tags: Translation
Steps To Reproduce:
Additional Information:
Attached Files: verify.png (11,896 bytes) 2017-11-29 17:18
http://bugs.cacert.org/file_download.php?file_id=421&type=bug
Notes
(0005568)
L10N   
2017-12-19 14:02   
I changed the translation in line 150 and 152 ("Ja, ...." and "Domain....")


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1344 [Wiki] organisational section text always 2014-12-13 14:11 2017-11-08 15:21
Reporter: HansMaulwurf Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: high OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Wrong install instruction for the root cert for Red Hat Linux.
Description: On the page http://wiki.cacert.org/FAQ/ImportRootCert#Linux
is written:
Red Hat 5+: wget -O - http://www.cacert.org/certs/root.txt >> /etc/pki/tls/certs/ca-bundle.crt (this will be overridden by updated openssl RPMs so it is likely not the best method)

Red Hat 4: Change the above location of ca-bundle.crt to /usr/share/ssl/certs/ca-bundle.crt

Fedora: Copy the certificate to /etc/pki/ca-trust/source/anchors/ then run update-ca-trust extract

But this is wrong, because
- RHEL 4 is deprecated an only supported under very special terms.
- for RHEL generation 7 the same instruction as for Fedora shut be used.
- The correct call for Fedora is "update-ca-trust" instant "update-ca-trust extract".
Tags: linux, Redhat, tutorial, Wiki
Steps To Reproduce:
Additional Information:
System Description Production version of the CAcert website
Attached Files:
Notes
(0005178)
L10N   
2014-12-15 13:14   
I put a warning on that Wiki page and linked to this bug.
(0005192)
L10N   
2014-12-18 21:30   
Maybe the information from this document [1] could be helpfull?

[1] http://www.trustis.com/healthcare/support/Redhatlinuxguide.pdf
(0005194)
HansMaulwurf   
2014-12-18 21:43   
No, because all pathses for the cert files description in it, are wrong.
On Red Hat based systems certificates for will live at /etc/pki/tls/


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
666 [bugs.cacert.org] misc minor always 2009-01-03 20:22 2017-11-08 15:19
Reporter: ph3 Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: normal OS Version: stable  
Status: new Product Version: production  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Mantis allows login without SSL/TLS
Description: Mantis allows to login without SSL/TLS. You need to manually add the s for SSL/TLS into the location bar of your browser.
Tags:
Steps To Reproduce:
Additional Information: Possible fix:

check for protocol (HTTP/HTTPS) and redirect to https://$HOST/$SCRIPT?$QUERY_STRING in case if HTTP. As it will mainly redirect on the login page this should not break something.
System Description Production version of the CAcert website
Attached Files: rfc3330.txt (16,200 bytes) 2014-10-04 09:53
http://bugs.cacert.org/file_download.php?file_id=382&type=bug
Notes
(0001265)
Sourcerer   
2009-01-04 19:35   
The possibility to login without HTTPS is a feature, not a bug. (So that people that have troubles with importing the root certificate can also file bugs)
The default login with HTTP is a bug, we would prefer to default to HTTPS login.
Could you evaluate, whether we can configure that in Mantis, and if not to file a feature request for that feature on http://www.mantisbt.org/
(0005543)
bjobjo   
2017-04-04 16:29   
Hi,

The confirmation mail when you register in Mantis redirects you to the non-secure access where you have to define your password.

Please change all links to https.

I don't agree for "possibility to login without HTTPS is a feature",
this is probably a very specific case, you can still offer a redirect page that displays information and a link to a form specific for this kind of problems and a link to the secure site. A FAQ about "cannot access the https site" can also be present on that form to help the user and avoid ticket if he did not import the root certificate (which is not anymore sufficient as firefox is refusing MD5/RSA signed certificates in the full chain as stated in ticket 0001305).

So please, secure all our sites and make it state of the art.

Thanks a lot for the hard work!


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
972 [CATS.cacert.org] Translation: Content minor N/A 2011-08-22 21:18 2017-10-03 12:14
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Translation of Assurer Challenge to Dutch
Description: This is to keep track of the current status of the translation.
Tags: CATS, Translation
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0002318)
Ted   
2011-08-22 22:10   
Current status:

Translation about 60% completed
(0005181)
L10N   
2014-12-15 13:32   
Is there some progress? Works someone on it?
(0005557)
L10N   
2017-10-03 12:14   
> Translation about 60% completed

Where are this translations? On the pootle, dutch is translated for only 1%.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
974 [CATS.cacert.org] Translation: Content minor N/A 2011-08-22 21:20 2017-08-20 13:47
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Translation of Assurer Challenge to Spanish
Description: This is to keep track of the current status of the translation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0002320)
Ted   
2011-08-22 22:13   
Current status:

New test created, translation not started
(0003715)
chema.alonso   
2013-01-22 19:21   
I'd like to translate the Assurer Challenge to Spanish. AFAIK I have to tell the number of my client certificate in order to enable access to do the job.

Is that Ok?

TIA
(0005552)
L10N   
2017-08-16 20:36   
@chema.alonso: Yes, please, do it (if not allready started)!
(0005553)
chema.alonso   
2017-08-18 14:11   
Unfortunatelly one year ago or so I lost access to my CAcert account. I tried to get it back contacting support with no success, so I decided to quit as assurer and translator.
(0005554)
L10N   
2017-08-20 13:47   
@chema.alonso: I am sorry about that. In fact CAcert had some trouble last spring/summer with a lack of volunteers (not only) for support. This was really a bad time to have troubles :-( But now, support works well again.

Yo comienzo como usted en 2013 en CAcert. Con su ayuda y la ayuda de algunos otros, traeremos adelante CAcert. Veo la ingeniería de soporte esta semana. Por favor escriba un e-mail a secretary AT cacert DOT org Habrá una solución en muy poco tiempo. (Sorry for poor spanish)

I see the support engineering this week. please write an e-mail to the secretary AT cacert DOT org There will be a solution in very short time.


http://wiki.cacert.org/FAQ/LostPasswordOrAccount


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1425 [Main CAcert Website] certificate issuing minor always 2017-04-11 14:02 2017-04-11 14:02
Reporter: stargrave Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: SHA384 hash specifying not working
Description: I am trying to issue certificate to myself and set in Advanced options that SHA384 should be used. But issued certificate has SHA512 signature. SHA512 and SHA256 specifying works as expected.
Tags:
Steps To Reproduce: Create CSR. Login to CAcert.org. Click to new server certificate. Paste CSR in the form and select SHA384. Click submit, submit. Take issued certificate and see its signatureAlgorithm.
Additional Information: POST data query shows that sha384 information is sent: description=&CSR=BASE64(CSR)&hash_alg=sha384&CCA=on&process=Submit&oldid=10
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1278 [Main CAcert Website] GPG/PGP minor have not tried 2014-05-13 20:05 2017-04-10 02:59
Reporter: hanno Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: CAcert PGP key is using outdated and insecure crypto algorithms (DSA/1024 bit)
Description: The CAcert PGP signing key is currently a 1024 bit DSA key. 1024 Bit discrete logarithm based algorithms are not considered secure these days and DSA itself is a very questionable algorithm, because it easily can completely break when used with bad randomness.

I suggest CAcert creates a new PGP signing key with 4096 bit RSA and defaults to SHA512-signatures (both for key self-signatures and for signing other keys).
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005545)
arsantiqua   
2017-04-10 02:59   
Current (52.0.2 64 bit) firefox flags this with:

www.cacert.org uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

with the following:

https://www.cacert.org/index.php?id=4

The certificate was signed using a signature algorithm that is disabled because it is not secure.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIHbDCCBVSgAwIBAgIDApAnMA0GCSqGSIb3DQEBCwUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTYwNDIxMTA0NDMyWhcNMTgwNDIx
MTA0NDMyWjBbMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
eWRuZXkxFDASBgNVBAoTC0NBY2VydCBJbmMuMRcwFQYDVQQDEw53d3cuY2FjZXJ0
Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwriThHegmvvYFB
2X281mJ5d+F2AEEZwaBSSSWoq75BYRJ5l5ke8QHGcx3c8CZDPlPjopyYCIy8LRhA
75IfVhRnR5imikVG4Gsvp57vAzwrxBtiAh8IqZKSlok30IaZ062G7uPNXaxwNZGY
c4CcAD2MRmTAxBbVan+wa+h/NTwTa/OfZwjaVdU4mDFJpegGl6tqm10+AdZW7bvP
Hbg5GPnn8WON0UzR5avrGDkU8013ruFH/Y0G/FlqnAsFAkf20rFYDLRLXzb29Olh
f6arkF+HOrsnanfyqjwyv5sgvZva3iXmEo0a7NhK2dGM1pO9Pd2AqkvjGARMI0ud
WrQkDThvoGEV2BvgBqQpF8WYBhlxMr7ToG4y2Dxc+wXgXSy6zPIgZqVwq9OZ4qit
TeXIiwWQp6nAYlJcPWuDNX2EoTi0FUKn2xCzbDr+i2ZtfZ6NYytxUq+ZwSOZ/o18
AXnMk82YO95WUFzFbTXrYKF6Sae8caHO92ptjl2tVxLPPRzsIDBMEh2/97fp1jxO
RjgwWMnBISwznbgIlG9/lY7/DaPHCYlAnIfsqvAasH3SRm5XedmGW4kyOD7D1Cpo
6vTSk4gs3MyaNvGt9wYATuunqwRjJVX83L/JfrDfxZ8CCb1s+JyYgTPMpbtyvZbN
1DHYLVfpFL5Nwtx3sZzuMteflQ7NAgMBAAGjggI+MIICOjAMBgNVHRMBAf8EAjAA
MA4GA1UdDwEB/wQEAwIDqDA0BgNVHSUELTArBggrBgEFBQcDAgYIKwYBBQUHAwEG
CWCGSAGG+EIEAQYKKwYBBAGCNwoDAzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUH
MAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMDgGA1UdHwQxMC8wLaAroCmGJ2h0
dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tlLmNybDCCAXMGA1UdEQSC
AWowggFmgg53d3cuY2FjZXJ0Lm9yZ6AcBggrBgEFBQcIBaAQDA53d3cuY2FjZXJ0
Lm9yZ4IRc2VjdXJlLmNhY2VydC5vcmegHwYIKwYBBQUHCAWgEwwRc2VjdXJlLmNh
Y2VydC5vcmeCEnd3d21haWwuY2FjZXJ0Lm9yZ6AgBggrBgEFBQcIBaAUDBJ3d3dt
YWlsLmNhY2VydC5vcmeCCmNhY2VydC5vcmegGAYIKwYBBQUHCAWgDAwKY2FjZXJ0
Lm9yZ4IOd3d3LmNhY2VydC5uZXSgHAYIKwYBBQUHCAWgEAwOd3d3LmNhY2VydC5u
ZXSCCmNhY2VydC5uZXSgGAYIKwYBBQUHCAWgDAwKY2FjZXJ0Lm5ldIIOd3d3LmNh
Y2VydC5jb22gHAYIKwYBBQUHCAWgEAwOd3d3LmNhY2VydC5jb22CCmNhY2VydC5j
b22gGAYIKwYBBQUHCAWgDAwKY2FjZXJ0LmNvbTANBgkqhkiG9w0BAQsFAAOCAgEA
XL8FnUS7W++IWGIOz6fMVM5ogZ5NU6ahhJbH0V8A6nT1Gyis6rYFbr4U3skd0s+H
RykGtoGtP0dqQGMWvAoUdUpLJSIWGP9GhtALf6+9+C5xkN1j52sRfyil2N43of3N
DWRr+A0ax1eh5GFqK8QUTQ7NoNjlUBKBhoh4ZmruXcDUxNigzMucbgAjf8wjZKtR
qq6UwNKIOxEw3MD3Pb+EMSxFNuYrwXN3U1ooB2yYJgDk0He6yt6VHIv+17p3xJz+
x039WT707FpzJN7kWMACODrVQ+OR+4X6cqCXgXX42D0itWpMEImRpxd5c5cz3Ig1
CDZMbRKDzv/cfHtJr2ynNSS2YE5uZVfsAgcb2Ojel20NTq+82kJz428RRfdnGAyK
OFio3jsO3H31+r7EX4VwQ5UinW2R+eJa/Y7nk5SHeY4eKIKNjpuV7DkACECJMBk6
NlOfHRFztJZOD/WVx9SxdtGlX3cvphcaJYu64JBnAEkmW0HcV4hsfq9e/rshRhcw
9myA4xXOm9urimuD6WngdvId6Q8Vz9f7BAwHpGQ4NqvUUeH2rXnjjdJz6C4DJ+sp
7kIhmrncsjnLXEtiSLn93aUDKOzdwrLsUgo96txhnq1CEPx8z/KRL1awUVkUay10
luJ3B+FKLh1avFSX3gbUqZm1ZrmeWZf5IT3EjB9K0wk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
4GGSt/M3mMS+lqO3ig==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
-----END CERTIFICATE-----


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1424 [test.cacert.org] test.cacert.org minor always 2017-03-29 06:05 2017-03-29 06:05
Reporter: TomA32123 Platform: Default  
Assigned To: OS: any  
Priority: normal OS Version: any  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: HP Printer Certificate Error
Description: When I try to add the certificate to my HP printer to enable the scan to email function I receive the following error:

The certificate is not RFC 5280 compliant.
Tags:
Steps To Reproduce:
Additional Information:
System Description Default profile.
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1422 [Main CAcert Website] website content major have not tried 2017-02-15 07:43 2017-02-15 07:43
Reporter: oitconz Platform: Linux  
Assigned To: OS: Linux  
Priority: normal OS Version: Mint Latest  
Status: new Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Failure to confirm email addresses
Description: Putting my email addresses in returned failures for two of my addresses,which work as I am sending and receiving emails all day on them.

hollis.org.nz, outsourcedit.co.nz

One is a linux server, one is a smartermail server. both handle encryption nad passed with an A certification from SSL checkers etc.
Tags:
Steps To Reproduce: email me shane@outsourcedit.co.nz
Additional Information:
System Description Production version of the CAcert website
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1419 [Main CAcert Website] website content minor always 2016-12-19 12:23 2016-12-19 12:23
Reporter: Ludovic Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: normal OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Issue with displaying "é" as é in "Client Certificates - View all certificates"
Description: For URL https://www.cacert.org/account.php?id=5
In the column Revoked the text "Not Revoked" is displayed "Non révoqué" instead of 'Non révoqué" for French translation.

The HTML source code is: "<td class="DataTD">Non r&eacute;voqu&eacute;</td>"
But should be "<td class="DataTD">Non révoqué</td>"

The "é" is correctly converted to "é" but then the "&" is translated to "&".
Tags:
Steps To Reproduce: Switch to French in the default language (URL https://www.cacert.org/account.php?id=41)
Then display the list of user certificats (URL https://www.cacert.org/account.php?id=5)
Additional Information: The HTML page uses content="text/html; charset=utf-8" so it should be possible to directly use the "é" in utf-8.
System Description Production version of the CAcert website
Attached Files: cacert.png (210,963 bytes) 2016-12-19 12:23
http://bugs.cacert.org/file_download.php?file_id=419&type=bug
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1418 [CATS.cacert.org] Content (Questions and Answers) minor always 2016-10-09 12:57 2016-10-13 19:13
Reporter: bortzmeyer Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: solved? Product Version: production  
Product Build: Resolution: no change required  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: "New Hebrides" no longer exist
Description: About passports, CATS mention a passport for "New hebrides". This country is called Vanuatu since its independence (and their passport is not on http://www.worldpassports.org/ ..)
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005528)
Ted   
2016-10-13 19:13   
This is intentional. You found the easter egg! :-)

Please have a look at https://en.wikipedia.org/wiki/Camouflage_passport and https://wiki.cacert.org/AcceptableDocuments#Passports


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1238 [Main CAcert Website] certificate issuing minor have not tried 2014-01-09 09:35 2016-09-17 13:02
Reporter: INOPIAE Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2014 Q1  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2014 Q3  
Reviewed by:
Test Instructions:
Summary: Problems with signing server certs with elliptic curve crypto
Description: Take from ticket s20140108.81
User tries to create a sever cert with ec which is in pending mode for more than 24 hours.
The CSR shows the following:
 Subject Public Key Info:
   Public Key Algorithm: id-ecPublicKey
   EC Public Key:
   pub: ....
   ASN1 OID: prime256v1
   Attributes:
         a0:00
   Signature Algorithm: ecdsa-with-SHA256
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
223 [Main CAcert Website] account administration feature always 2006-05-01 07:57 2016-08-28 08:44
Reporter: Sourcerer Platform:  
Assigned To: OS:  
Priority: low OS Version:  
Status: confirmed Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Auditor Interface
Description: We need an auditor interface in the web-interface, both for internal and external auditors.
The auditor should have the function of running predefined queries against the database, and see the result of them.
Needed functionality:
* List of all accounts with the Admin Bit
* List of all accounts with non-[A-Za-z0-9] characters in any fields
* List of all certificate with Punicode in it
* List of all Orga-Assurers, together with their country
* List of all Location-DB-Admins, together with their country
* List of all countries, and the amount of assurers, users (certificates) in that country
...
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0000214)
bluec   
2006-05-01 08:00   
This could also be extended to a Apache logfile analysis. There have been exploits in the CAcert source that could only detected by looking at the Apache logfiles.

e.g. http://bugs.cacert.org/view.php?id=152
(0000215)
Sourcerer   
2006-05-01 08:00   
* List of all accounts that have >= 50 points, and have been assured by less than 2 people
* List of all accounts that have >= 100 points, and have been assured by less then 3 people
(0005527)
Eva   
2016-08-28 08:44   
Is there an Arbitration ruling to provide this kind of access? Else this would neither be covered by Security Policy nor by Privacy Policy.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
859 [Main CAcert Website] account administration feature N/A 2010-09-04 06:57 2016-08-28 08:41
Reporter: JSteijlen Platform:  
Assigned To: NEOatNHNG OS:  
Priority: high OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: NEOatNHNG
Test Instructions:
Summary: feature request: show activity on an account in the admin interface.
Description: Sometimes it's hard to judge if an account is still in use.
quite often there are no recent assurance made/received.

showing the date of last activity (any kind, the kind itself is not interesting) can aid support in judging whether an account is still active, or languishing into bit-rot.
kinds of activity to update this feature could be assurances (of both variations) certificate creation, or even last login.


account creation date would also be nice.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files: 43_859_110826.php (18,680 bytes) 2011-08-26 10:22
http://bugs.cacert.org/file_download.php?file_id=203&type=bug
43-859-diff-20110826.diff (2,048 bytes) 2011-08-26 10:54
http://bugs.cacert.org/file_download.php?file_id=209&type=bug
Notes
(0002327)
Uli60   
2011-08-23 03:03   
effected date fields:
table users.created "2010-04-15 14:05:45"
table users.modified "2011-08-23 03:21:01" (last login)
table notary.date "04.08.2010" The Assurance Date the assurer added
table notary.when "2010-08-04 13:38:26" the date and time assurance was entered
                                        into the system
other tables like emailcerts displays the creation date and modification date/time
activity in such areas are also shown by table users.modified
(0002329)
Uli60   
2011-08-23 13:08   
(Last edited: 2011-08-23 13:09)
> account creation date would also be nice.
account created:
 "this month" | "this year" | "after Apr 2009" | "before Apr 2009"
is enough debug info to display in case of problems with user account.
 "this month" | "this year" gives info that the account was a newly created account
"after Nov 2007" | "before Nov 2007" gives enough info if CCA acceptance potentialy exist or not. Apr (or was it June 2009 ?!?) the accept CCA checkbox was set mandatory

so a one liner info below the user infos can be given w/o disclose too much PII infos, but there are helpful in support requests
see also bug 0000975

(0002353)
Uli60   
2011-08-26 10:23   
fix seperated in 43_859_110826.php
code based on cacert
commit ce4bfbaf0c2babb5bba2568d3b8712e1615aa651
(0002785)
NEOatNHNG   
2012-01-23 20:13   
I have reviewed Uli's patch, modified it slightly and added it to the test server. Please review and test the changes.
(0002789)
Uli60   
2012-01-24 04:48   
(Last edited: 2012-01-24 04:55)
login with admin account, Sysadmin - find user

search user 1, account created and used today
test.dedispute@o...
Account Activity
Account created: this month => OK
Last activity: this month => OK

search user 2, (my own admin account), created by the time, testserver started
ulrich@c.o
Account Activity
Account created: between June 2009 and this year => OK
Last activity: this month => OK

search user 3: one of the new created accounts for tests within this year
bug975.user1@w...
Account Activity
Account created: between June 2009 and this year => OK
Last activity: within last 12 months => OK

overall result => OK

One sidenote:
regarding "minimal" assurer errors regarding DoB, the absolute account creation date might be useful -> eg account created effective date 2012-01-24, effective DoB: 1970-01-20, DoB in online account: 1970-01-24
-or-
created account 2012-01-19, effective DoB 1970-01-13, DoB in online account 1970-01-19
This error can be seen as "using todays day number" while creating the account

(0002797)
NEOatNHNG   
2012-01-26 20:25   
I have just implemented the changes discussed in the last meeting:
- The creation date is now shown exactly
- The section is now hidden by default. If you need to see it you have to click on the heading.

Please retest and review
(0002816)
INOPIAE   
2012-01-31 22:01   
I tested different accounts.
Each account viewed in SE console first shows only account activity as headline without data- => ok
Clicking onto the account shows the correct values. => ok
=>ok
(0002817)
MartinGummi   
2012-01-31 22:06   
login with my admin account, Sysadmin - find user

test@sh23.tld
Account created: 2010-08-24 22:06:06
Last activity: before 2 years

lll@sh23.tld
Account created: 2010-10-19 18:47:20
Last activity: this month

admin-bug827@sh23.tld
Account created: 2011-02-21 23:22:46
Last activity: within last 12 months
(0002819)
NEOatNHNG   
2012-02-01 01:49   
There was a request to show whether the account was accessed within the last 30 days and not whether we are in the same month (which was what the supplied patch did). I have implemented that on the test system.

Please retest and review.

I also discovered that the last accessed date is actually only set when logging in via password, not if logging via client cert. Is this desirable?
(0002820)
JensK   
2012-02-04 10:19   
Sysadmin->Find user
Looked up a test account I haven't used in a while

Account activity shows as headline only => OK
Creation date is correct => OK
Last Activity is "within the last 6 months" => OK I guess (what granularity is the time supposed to have?)
Logged into the account, then rechecked => Last activity is now "within the last month" => OK
(0002824)
INOPIAE   
2012-02-07 22:08   
The last login with certifcate should also be processed.

The activity should show the last acitivity on the account either password login or cert login depending what was the latest.
(0002827)
JensK   
2012-02-08 13:28   
Currently none of my test accounts have valid certificates. If I log in to create one, that will reset the last activity to "within the last month", so I can't tell if a subsequent certificate login updates the last activity properly.
(0002875)
NEOatNHNG   
2012-03-13 21:55   
Modified date is not suitable for account activity as it is not set on certificate login.
(0005526)
Eva   
2016-08-28 08:41   
In what kind of situation would something like this be useful?


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1259 [Main CAcert Website] account administration minor have not tried 2014-03-16 11:44 2016-08-14 17:44
Reporter: INOPIAE Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Database cleanup regarding deleted accounts
Description: This bug is a split of bug 1223 regarding the database cleanup for deleted accounts.
Tags:
Steps To Reproduce:
Additional Information: Orgininal bug text:
In the support case [s20131125.67] a member asked for a deleted account. He could not access it, and searching in the SE console I could not find it either. However if he used the 'Lost password' link on the login website, entered the email address and correct birthdate, he got to step 2 of password recovery. That means, here his account showed up.

This looked strange to me, since normally as SE I can search even for deleted email addresses and I find all accounts this email address belongs to or previously belonged. But in this case I didn't find it.

So I asked Wytze and he told me: "This email address can be found in the table `email`, but with the field `deleted`. It can also be found in the table
`users`, again with `deleted`."

It thus showed up that the handling of the `deleted` field in the software is rather inconsistent. I suggest that this handling should be straightened in the way that an SE always can see all email addresses, domains and accounts that ever existed. If there is more than one account, in the list of the accounts to select, a flag should be added to show if it is an active account, email address or domain or if it is deleted.
Attached Files:
Notes
(0005525)
Eva   
2016-08-14 17:44   
Arbitrator entry:
I am the Arbitrator of a20140316.1 - "database cleanup regarding deleted accounts" [1]. Piet Starreveld is the Case Manager.

That case is related to bug 0001259.

I hereby give the following preliminary ruling:

A patch for bug 1259 may not be set productive until the arbitration case a20140316.1 is decided or there is a ruling in that case that allows to set such a patch productive.

Eva Stöwe - 2016-08-14

[1] https://wiki.cacert.org/Arbitrations/a20140316.1


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1416 [Main CAcert Website] certificate issuing major unable to reproduce 2016-07-28 17:56 2016-07-28 17:56
Reporter: kdb119 Platform: Mac  
Assigned To: OS: OS X  
Priority: urgent OS Version: stable  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Not receiving account confirmation e-mail for account creation
Description: Not receiving account confirmation e-mail. It appears that your SPF MX records do not exist or are incorrectly configured resulting in my ISP rejecting your mail. However, it is impossible for me to check since I don't receive any notification/mail!
Tags:
Steps To Reproduce:
Additional Information:
System Description Production version of the CAcert website
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1415 [Main CAcert Website] account administration minor always 2016-06-29 21:13 2016-06-29 21:13
Reporter: Eva Platform: Main CAcert Website  
Assigned To: OS: N/A  
Priority: normal OS Version: stable  
Status: new Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions: Try to do an email dispute on a deleted email. There should not be a notice send to support or one of the members as if the email would be part of the old account. For blocked and unblocked accounts. Aly verify dispute none-deleted email addresses
Summary: treat deleted emails like free emails in email disputes functionality
Description: The email dispute does not destinguish if emails of locked accounts are marked as deleted or not. This leads to a notice to support that someone tried to dispute a dispute from a blocked account and possibly other activites.

As soon as an email is deleted in an account it can be added to another account. So the email dispute functionality should come to the same conclusion, that there is no need for an email dispute on that email. Regardless if the original account is blocked or not.

A deleted email address should be treated like a free email address in any situation. (Which is the case everywhere else.)

Please add a check for deletion of the email address to at least that part of the email dispute functionality.
Tags:
Steps To Reproduce: 1. Add an email to an account.
2. Delete that email and block that account. Alternatively just delete the account (which will do both).
3. dispute that email from another account.
Additional Information: This bug was added based on a ruling in arbitration case a20160621.1. For details consult the according case file:
https://wiki.cacert.org/Arbitrations/a20160621.1

It could be sensible to check domain disputs for comparable issues.
System Description Production version of the CAcert website
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
971 [CATS.cacert.org] Translation: User Interface minor N/A 2011-08-22 21:16 2016-05-03 11:51
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: User Interface Translation to Spanish
Description: See language file https://svn.cacert.org/CAcert/Education/CATS/lang/spanish.php
Tags: CATS, Translation
Steps To Reproduce:
Additional Information:
Attached Files: spanish_php_revision.diff (19,785 bytes) 2013-01-22 19:09
http://bugs.cacert.org/file_download.php?file_id=315&type=bug
spanish_php_revision_reviewed.diff (19,822 bytes) 2016-05-03 11:50
http://bugs.cacert.org/file_download.php?file_id=418&type=bug
Notes
(0002317)
Ted   
2011-08-22 22:05   
Translation done by Sebastian Klus

Two reviews needed
(0002376)
INOPIAE   
2011-08-31 04:31   
english version can be found here https://svn.cacert.org/CAcert/Education/CATS/lang/english.php
(0002380)
antonio   
2011-08-31 08:42   
Review 1 sent by mail to reporter
(0003714)
chema.alonso   
2013-01-22 19:09   
Uploaded diff file with my revision (spanish_php_revision.diff)

BTW, the original english file ( https://svn.cacert.org/CAcert/Education/CATS/lang/english.ph) includes the word "informationen" (which I believe is in german) at line 156:

define("Statistic_06","user informationen");

I think it should be:

define("Statistic_06","user information");

Regards.
(0005182)
L10N   
2014-12-15 13:40   
Ted, could you ask Antonio and an other spanish speaker to review the diff file? It is waiting for review for nearly two years...
(0005519)
jonas   
2016-05-03 11:51   
I have reviewed the diff file and made some changes. The updated diff file has been uploaded and is named: spanish_php_revision_reviewed.diff

If needed, I will look how to download the original spanish file from the git repository, apply the diff and create a pull request.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1411 [Main CAcert Website] website content minor have not tried 2016-02-09 19:46 2016-03-01 21:44
Reporter: INOPIAE Platform:  
Assigned To: BenBE OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version: 2016 Q1  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2016 Q1  
Reviewed by: BenBE
Test Instructions: check the PayPal links on these pages /index.php, /index.php/?id=5, /index.php?id=13, /index.php/id=21 point to pages with EUR.
Summary: Change all PayPal donations buttons to the payment sites of CAcert in EUR
Description: All buttons should point to the CAcert PayPal payment in EUR
index.php
index.php?id=5
index.php?id=13
index.php?id=21 not need as this points already to EUR
Tags:
Steps To Reproduce:
Additional Information:
Attached Files: Code for the Donation button.txt (357 bytes) 2016-02-09 19:47
http://bugs.cacert.org/file_download.php?file_id=414&type=bug
Code for the Password reset button.txt (465 bytes) 2016-02-09 20:54
http://bugs.cacert.org/file_download.php?file_id=415&type=bug
Code for the 5 EUR button.txt (460 bytes) 2016-02-09 20:57
http://bugs.cacert.org/file_download.php?file_id=416&type=bug
Code for the 50 EUR button.txt (461 bytes) 2016-02-09 20:58
http://bugs.cacert.org/file_download.php?file_id=417&type=bug
Notes
(0005507)
INOPIAE   
2016-02-26 06:18   
I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-1411
(0005508)
reinhardm   
2016-02-26 20:54   
tested all of the above variants
index.php
index.php?id=5
index.php?id=13
index.php?id=21
by clicking the paypal button and checked the results.
All amount are displayed in EURO, symbol € and text EUR is displayed.

Test successfull.
(0005509)
aterpotiz   
2016-03-01 20:31   
test result:

index.php
    Text AU$50 (wrong text over Button1)
    Button1 --> Paypal € 50.00
    Button 2 --> PayPal € 5.00

index.php?id=5
    Button1 --> PayPal € 15.00

index.php?id=13
    Button1 --> PayPal € 0.00 (Change Button Logo to Donation?)

index.php?id=21
    Button1 --> PayPal € 10.00 / Year
    Button2 --> PayPal € 10.00

Test for Euro -- OK
(0005510)
StefanT   
2016-03-01 20:33   
Test with Chrome Version 48.0.2564.116 m
Paypal Links tested:
index.php EUR OK Buttons OK
index.php?id=5 EUR OK Button OK
index.php?id=13 EUR OK Button is for payment and not for donations
index.php?id=21 EUR OK Buttons OK
On Side 13 the Button should be replaced to a donation button
(0005511)
INOPIAE   
2016-03-01 21:44   
I pushed a new fix to https://github.com/INOPIAE/CAcert/tree/bug-1411 [^]


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1343 [Main CAcert Website] source code major always 2014-12-13 11:46 2016-02-26 19:44
Reporter: wytze Platform: Main CAcert Website  
Assigned To: NEOatNHNG OS: N/A  
Priority: high OS Version: stable  
Status: ready to deploy Product Version: 2014 Q4  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version: 2015 Q3  
    Target Version: 2014 Q4  
Reviewed by: NEOatNHNG, BenBE
Test Instructions: See Steps to Reproduce
Summary: CommModule server.pl does not respond correctly to start/stop commands
Description: The CAcert CommModule server.pl code requires a minor fix to respond correctly to the "service commmodule stop" command.
The current code does not properly take Perl operator priority into account.
Tags:
Steps To Reproduce: Try to stop the running signing server (server.pl process) with:
    service commmodule stop
(NOTE: on the test servers: service commmodule-signer stop).
Observe that the server.pl process continues running.
Additional Information: Context diff for the source code fix is:

@@ -1002,7 +1002,7 @@
 my $count=0;

 #As soon as the client connected successfully, the client has to send a request faster than every 10 seconds
-while(@ready = $sel->can_read(15) && -f "./server.pl-active")
+while((@ready = $sel->can_read(15)) && -f "./server.pl-active")
 {
   my $data="";
   #my $length=read SER,$data,1;
System Description Production version of the CAcert website
Attached Files:
Notes
(0005340)
BenBE   
2015-03-03 20:40   
Tested by Crit (wytze) when providing the original patch.
Also tested by me when restarting the CommModule recently when I applied patches on the testserver.
(0005442)
NEOatNHNG   
2015-07-29 17:02   
Patch looks OK, although I'm not Perl-literate enough to get why it was not working before. Yes, the @ready would contain a different value, but shouldn't that be false too if the server.pl-active is missing?
(0005457)
felixd   
2015-08-25 20:22   
Tested on a local installation: The Signer seems to behave identically with or without the brackets. In both cases the perl command terminated within 20 seconds.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1413 [Main CAcert Website] misc feature always 2016-02-24 20:09 2016-02-24 20:09
Reporter: BenBE Platform:  
Assigned To: INOPIAE OS:  
Priority: normal OS Version:  
Status: new Product Version: 2016 Q1  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2016 Q2  
Reviewed by:
Test Instructions: See steps to reproduce. Target is testing all functions causing zero issues doing so.
Summary: Introduce CSP and other security headers
Description: The site should be changed so that the security features of modern browsers can be used (XSS proctection, IFrame protection, CSP, CORS, ...). In particular for Content Security Policy (CSP) the following policy should work:

default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self';
Tags:
Steps To Reproduce: Use a plugin like "Caspr: Enforcer" and enable the above policy.
Hitting F12 and refreshing/browsing any page of the webdb should yield no error messages in the Chrome console.
Additional Information: The above policy requires mostly the following changes:
- Move JS code to static files
- Move CSS into the normal style sheet (or separate files)
- Deliver used fonts locally as static files (or via webstatic / requires slight modification to above policy).
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
320 [Main CAcert Website] website content tweak always 2006-08-30 03:57 2016-02-11 23:35
Reporter: Sourcerer Platform:  
Assigned To: felixd OS:  
Priority: normal OS Version:  
Status: fix available Product Version: 2006  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Stop abusing $_REQUEST (and other special arrays)
Description: includes/account.php line1918 (the if($id==36) block)
reads the data from the database, and stores the data in the
PHP global array $_REQUEST:

$_REQUEST['general'] = $row['general'];

so that it can later be read from the $_REQUEST array in the pages/account/36.php:
<? if($_REQUEST['general']) echo " checked";

This is an abuse of the $_REQUEST array, which might break in newer versions of PHP. (eg. it might not be writeable in the future anymore)
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004833)
felixd   
2014-06-15 09:23   
(Last edited: 2014-06-17 13:30)
A command similar to:

grep -r --color=auto "\$_\(REQUEST\|POST\|GET\)\(\[[^]]\+\]\)\+ \?= \?[^=]" pages www includes

might help to determine the loctions.

(0004845)
felixd   
2014-06-17 14:30   
I pushed some patches (mainly the small files except includes/account.php)
that stop writing to one of these variables here:

https://github.com/yellowant/cacert-devel/tree/bug-320


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1410 [CATS.cacert.org] User Interface minor always 2015-12-20 13:49 2015-12-20 13:49
Reporter: alkas Platform: ASUS PC  
Assigned To: OS: Windows 8  
Priority: normal OS Version: 8.0  
Status: new Product Version: production  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Not the exact text in "Server Certificates" - "View"
Description: You can read "Domain certificates" in the main part of the window. It should be "Domain and Server Certificates",I suppose. The text "Domain and Server Certificates" does exist in the Pootle English and translated texts! See the attachment, too.
Tags:
Steps To Reproduce: After login to your account at CAcert, open "Server certificates" - "View" from the menu, then observe the heading of the main part of the window.
Additional Information:
System Description Production version of the CAcert website
Attached Files: ServerCertsTextError.gif (115,295 bytes) 2015-12-20 13:49
http://bugs.cacert.org/file_download.php?file_id=413&type=bug
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1409 [CATS.cacert.org] User Interface text always 2015-12-19 23:33 2015-12-20 13:28
Reporter: alkas Platform: ASUS PC  
Assigned To: OS: Windows 8  
Priority: normal OS Version: 8.0  
Status: new Product Version: production  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: An improper text which can baffle users
Description: If you want to get a new client certificate, the text on the web page related reads "SSL server certificate". See the attachment.
This improper text is seen in both Czech and English, probably also in another languages.
This text has possible legal impact!
Tags:
Steps To Reproduce: Log in to www.cacert.org to your account. Select from right menu "Client Certificates", "New". Look to the left part of the window.
Additional Information:
System Description Production version of the CAcert website
Attached Files: NewClientCertTextError.gif (118,453 bytes) 2015-12-19 23:33
http://bugs.cacert.org/file_download.php?file_id=412&type=bug
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1372 [Main CAcert Website] website content tweak always 2015-02-08 18:08 2015-12-19 11:40
Reporter: StefanT Platform: Windows  
Assigned To: OS: Windows  
Priority: normal OS Version: 8, 8.1, 2012, R2  
Status: new Product Version: 2015 Q1  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions: Control the Certificate Store with MMC
Summary: Windows Installer not working
Description: The Windows Installer-EXE is unable to install th CAcert Public Roots to the Certificate Store at Windows 8/10 Architecture.
Tags:
Steps To Reproduce: Run the EXE File on Windows 8 and check the Certificate Stores.
Additional Information:
System Description Production version of the CAcert website
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1408 [Main CAcert Website] misc feature N/A 2015-12-12 17:19 2015-12-12 17:20
Reporter: INOPIAE Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2015 Q4  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q4  
Reviewed by:
Test Instructions:
Summary: API to return the Assurer Status to be used from CAcert systems
Description: The API should be used from internal CAcert systems to verify if a user that identifies himself with a CAcert certificate is an assurer.
Tags:
Steps To Reproduce:
Additional Information: frist implementation could be cacert.eu portal
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1295 [Main CAcert Website] source code major always 2014-08-04 14:42 2015-12-12 17:20
Reporter: wytze Platform: Default  
Assigned To: BenBE OS: any  
Priority: normal OS Version: any  
Status: fix available Product Version: 2014 Q2  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2014 Q4  
Reviewed by:
Test Instructions:
Summary: fix_assurer_flag() function in includes/lib/account.php causes mysql 5.5 server warnings
Description: Each invocation of the fix_assurer_flag() function in includes/lib/account.php causes the mysql 5.5 server to log a warning like this:

Jun 23 20:09:52 webdb mysqld: 140623 20:09:52 [Warning] Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. Statements writing to a table with an auto-increment column after selecting from another table are unsafe because the order in which rows are retrieved determines what (if any) rows will be written. This order cannot be predicted and may differ on master and the slave. Statement: UPDATE `users` AS `u` SET `assurer` = 1
Jun 23 20:09:52 webdb mysqld: WHERE `u`.`id` = 'XXXXXX'
Jun 23 20:09:52 webdb mysqld: AND EXISTS(
Jun 23 20:09:52 webdb mysqld: SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv`
Jun 23 20:09:52 webdb mysqld: WHERE `cp`.`variant_id` = `cv`.`id`
Jun 23 20:09:52 webdb mysqld: AND `cv`.`type_id` = 1
Jun 23 20:09:52 webdb mysqld: AND `cp`.`user_id` = `u`.`id`
Jun 23 20:09:52 webdb mysqld: )
Jun 23 20:09:52 webdb mysqld: AND (
Jun 23 20:09:52 webdb mysqld: SELECT SUM(`points`) FROM `notary` AS `n`
Jun 23 20:09:52 webdb mysqld: WHERE `n`.`to` = `u`.`id`
Jun 23 20:09:52 webdb mysqld: AND (`n`.`expire` > now()
Jun 23 20:09:52 webdb mysqld: OR `n`.`expire` IS NULL)
Jun 23 20:09:52 webdb mysqld: AND `n`.`deleted` = 0
Jun 23 20:09:52 webdb mysqld: ) >= 100
Tags:
Steps To Reproduce: fix_assurer_flag() is called from several places in the application, pick any.
Additional Information:
System Description Default profile.
Attached Files:
Notes
(0004913)
INOPIAE   
2014-08-05 20:54   
(Last edited: 2014-08-05 20:55)
Can you provide some information about the mysql server setup or point to the documentation is the wiki.
The main point of question is the mysql server is replicated or not and if it is replicated what the what the settings of the binlog_format is?

(0004918)
wytze   
2014-08-06 09:16   
The mysql server is *not* replicated.
Binlogging is enabled with these statements in /etc/mysql/my.cnf:

log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 0
max_binlog_size = 100M

It may be helpful to know that the cacert[12] test servers are using exactly the same setup, except for the setting of expire_log_days (10 on the test servers).
Identical mysql server warnings can be observed on these test servers.
(0004919)
wytze   
2014-08-06 09:25   
Perhaps it is sufficient to add:

binlog_format = mixed

to the configuration, but a review of such a change by a knowledgeable mysql person would be appreciated.
(0005116)
INOPIAE   
2014-11-22 14:31   
I pushed a fix to https://github.com/INOPIAE/CAcert/commit/660c548b541f45a48d1268f74f868d4d19c27f5d


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
649 [Main CAcert Website] web of trust feature always 2008-10-18 09:39 2015-12-12 17:19
Reporter: iang Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version: 2008  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q2  
Reviewed by:
Test Instructions: see note (0005284)
Summary: verify that someone is an Assurer
Description: There needs to be a way for the Member to verify that someone is an Assurer.

For an online system mechanism, it could be any of these variations to get confirmation:

1. type in an exact name.
2. type in an email address.
3. type in a code word selected by the Assurer.
4. send an email to a given address (might need additional control on/off as could be done by anyone).
5. some non-online mechanism such as business cards or security cards.

When the method is used, a confirmation of status should be shown: Member, Assured, Assurer. Optionally other information could be added, under control of the Assurer.
Tags:
Steps To Reproduce:
Additional Information: DRAFT AP says "A Member may check the status of another Member, especially for an assurance process. Status may be implied from information in a certificate. The number of Assurance Points for each Member is not published." (as of today, it might change as it is still in DRAFT.) http://svn.cacert.org/CAcert/Policies/AssurancePolicy.html#2.3

Member checking Assurer's status is necessary to establish the authority of the Assurance, to establish the mutuality and equality of the process, and to combat a potential identity theft. E.g., at some point, CAcert becomes valuable ("crosses GP") and becomes attacked for its value. One attack is to pretend to be an Assurer and ask people for their identity information.

Members should be taught to check the Assurer's status.
Attached Files:
Notes
(0004532)
INOPIAE   
2014-01-21 10:23   
Suggestion for Is Assurer Check:

A new page with a text box for the primary email address of a potential Assurer.
A dropdownbox with the reason why the information is needed e.g. Assurance, Event Preparation, Arbitration, CARS check, Organisation Assurance.

Once the form is send the result is not displayed on the screen. It is send to the requestor and the assurer via mail. The screen only shows the information that the mail was sent.

Mail to requestor:

Dear xxxx,

you requested an Assurer check for the primary email address x@y.z for DROPDOWN info.
The account linked to this email address currently has / has not Assurer Status.

BR

Mail to Assurer:

Dear xxxx,

your Assurer Status was requested by REQEUSTER NAME, primary email address x@y.z for DROPDOWN info.

BR
(0004596)
INOPIAE   
2014-02-22 19:39   
I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-649.

For testing:
Try to get the assurer status of an assurer, a non assurer and one email that is not list in the testserver.
(0004610)
BenBE   
2014-02-25 22:36   
in notary.inc.php for function get_user_id_from_mail:

1. we should be consistent on email vs. mail

2. trim should be the inner function call, thus trim first and then escape for the database.

In pages/wot/16.php:
3. The font tag is deprecated. Use span or div instead and possibly create a proper CSS class for it (or reuse an existing one).

4. Do proper indentation of the HTML in the file so the source doesn't look to messy. Names of tags should be lowercase (e.g. script at the bottem).

In www/wot.php:
5. Why do we need sprintf on a translation without format string parameters?

6. Indentation for the notification on the web page doesn't need to be that far too the right.

Not OK.
(0004640)
INOPIAE   
2014-03-15 13:10   
(Last edited: 2014-03-15 13:11)
I pushed a new fix to https://github.com/INOPIAE/CAcert/tree/bug-649
The font tag is handled in a seperate bug

(0004795)
Benedikt   
2014-06-05 21:51   
Dear Software Team, is there any progress on this bug?
(0004804)
INOPIAE   
2014-06-07 20:20   
I pushed a new fix to https://github.com/INOPIAE/CAcert/tree/bug-649
(0005279)
Eva   
2015-01-26 05:44   
There was a dispute filed by BenBE and INOPIAE to check if this bug is allowed.
(0005283)
INOPIAE   
2015-01-28 09:06   
I pushed a new fix to adjust the adminlog table
https://github.com/INOPIAE/CAcert/commit/c0f2cae1ef3a2c4cbcfaeb6fd403a7255916c07b
(0005284)
INOPIAE   
2015-01-28 09:25   
(Last edited: 2015-03-03 20:18)
Test instructions:
try to get the assurer status of at least 6 accounts
Check the mail box of the accounts if a mail arrived
If you check the sixth account within 1 hour you should get an message, that you are not allowed to proceed for the next hour.
no mail should be send now
Try the account again after 1 hour
Now it should work again

(0005296)
Ted   
2015-01-28 16:30   
Did some tests from account ted@convey.de (Admin account), all checks within one hour, all mail adresses are @convey.de:

123, Is Assurer, Mail checked, OK
ted, Is Assurer, Mail checked, OK (this was my own account)
switch2, No Assurer, Mail checked, OK
switch1, No Assurer, failed see below
deleted2, No Assurer, Mail checkes, Probably OK
to_be_deleted2, Not found, OK but shouldn't there a limit to 5 checks?
deleted2, No Assurer, probably ok (repeated check)
to_be_deleted, No Assurer, OK but limit?
froehlich, Not found, OK is an additional address
deleted3, No Assurer, Failed account is deleted!


More details:

switch1 is an address that initially belonged to the account which is now switch2. If I request the status of switch1 the mail shows up in both Test Manager accounts, with target address switch1.
This may be a bug in the Test Manager, but it's a bit strange nevertheless...

Account deleted3 is reported as "No Assurer", but the account is deleted, so it should be reported as "Not found".

I guess it's intentional that only the primary mail address for an account is found.

deleted2 is a special account which should not occur in the production database since the USERS record is not marked as deleted but the corresponding EMAIL record is. I guess it's acceptable if the lookup finds such an account.

The limit did not cut in, maybe because I tested with an Admin-Account?
(0005297)
Ted   
2015-01-28 16:42   
Another test with switch2 and switch1, now switch2 is Assurer, switch1 is not.

Checking correctly returns the status of both accounts.
(0005299)
Eva   
2015-02-03 19:55   
Is there any limit how many requests one can send?
Is there a way to opt out?
Also I do not see the Arbitration reason. The bigger problem for Arbitration is to figure out the primary address, to begin with. In most cases this is not known to Arbitration. As to be able to test the assurance status the Arbitrator would first need to ask support for this. As there would be a need to ask support, anyway, any needed information - this could exclude the primary address - could be provided by support to Arbitration.

Also anybody could state to just ask for an arbitration reason. IF this would be implemented, it should only be possible for members of the arbitration team, as this could be missused anyway. Currently the software does not have a flag for a member of the assurance team


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1407 [CATS.cacert.org] Result Upload minor have not tried 2015-12-04 22:06 2015-12-05 01:14
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Result upload should support new testserver and privacy tests
Description: The new testserver configuration requires the Result Upload to support SNI.

Also, the new topic type "Data Privacy Quiz" should be supported.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005489)
Ted   
2015-12-04 23:53   
Changes proposed by felixd, plus some cosmetic changes, checked in to branch bug-1407 and merged into testserver branch.

Automatic upload should now be active on the testserver (every 5 minutes).

Additional tests and reviews would be nice, but since we're not under SM this is considered optional.
(0005490)
BenBE   
2015-12-05 01:14   
As I suggested the two hunks for the SNI support and the SQL change) I'm fine with both of them.

For your my_dir function I'd suggest using the dirname function instead, cf. http://stackoverflow.com/a/3455972

In the SQL statement beware that the additional "4" will have to match the type ID assigned to the Data Privacy category. Please verify if 4 is really the correct category ID (on the CATS).

Also, but this is separate from the functional stuff, I'd be glad if we could avoid trailing whitespace at the end of lines. No biggie, but always looks kinda wrong when having a look at the diff in Git.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1403 [CATS.cacert.org] Content (Questions and Answers) feature N/A 2015-10-11 20:45 2015-12-03 08:41
Reporter: Benedikt Platform: Default  
Assigned To: Benedikt OS: any  
Priority: normal OS Version: any  
Status: needs work Product Version: production  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Add additional CATS tests for Data Privacy (Test & Prod)
Description: Out of Incidents i20140814.1 and i20140625.1, a data privacy CATS should be added binding for all people within CAcert handling personal data and voluntary for assurers. To divide the different needs for data privacy by different roles, following CATS tests are recommended:

1) general data privacy CATS test
2) special data privacy CATS test for Triage and Support Engineers
3) special data privacy CATS test for Infrastructure Admins
4) special data privacy CATS test Arbitrators and Case Managers

Since we cannot identify a person's roll by his/her certificate, the CATS should be freely available for everyone.

The CATS should be available in Test & Prod system.

Tags:
Steps To Reproduce:
Additional Information: The questions and answers can be provided by myself, if you grant me the rights needed. The public key of the certificate is attached.
System Description Default profile.
Attached Files: benedikt.pem (2,050 bytes) 2015-10-11 20:51
http://bugs.cacert.org/file_download.php?file_id=410&type=bug
Notes
(0005465)
Ted   
2015-10-12 20:07   
Benedikt,

you should now be able to log in to the development CATS (https://cats1.it-sls.de:14843/index.php) using the attached certificate. If you are not, please tell me, this is the first time I tried to add someone manually.

Your account has admin rights, so you are able to create new questions/answers. The four tests you proposed are already created but still waiting for questions.

So far for the development system. Before I transfer any tests from the development system to the productive system there should be a written procedure (in the WiKi?) defining how a proposed test is to be reviewed, or otherwise verified to be acceptable.
(0005466)
Benedikt   
2015-10-12 20:19   
(Last edited: 2015-10-12 20:19)
Hey Ted,

Access to the CATS Test Server's Admin Panel works and I can add Questions.

Once done, we should discuss the review & transfer procedure with Software.

(0005467)
BenBE   
2015-10-13 19:39   
Installed on Test Server as:

INSERT INTO cats_type (id, type_text) VALUES (2, 'Data Privacy Quiz');

INSERT INTO cats_variant (type_id, test_text) VALUES(2, 'Data Privacy Quiz (generic)');
INSERT INTO cats_variant (type_id, test_text) VALUES(2, 'Data Privacy Quiz (Triage and Support)');
INSERT INTO cats_variant (type_id, test_text) VALUES(2, 'Data Privacy Quiz (Infrastructure Admins)');
INSERT INTO cats_variant (type_id, test_text) VALUES(2, 'Data Privacy Quiz (Arbitrators and Case Managers)');
(0005488)
felixd   
2015-12-03 08:32   
(Last edited: 2015-12-03 08:41)
Benny and I fixed the testserver-CATS-system.

We found out that the changes of #0005467 are not needed as the import script automatically creates that entries.

There needs to be an adjustment to "UploadResults.pl". Changing the set of to-be-transferred CATS categories, to include the new CATS category.



View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1149 [CATS.cacert.org] User Interface minor always 2013-03-03 22:15 2015-11-04 20:54
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs review Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: CATS accepts server certificates for login
Description: If someone imports a server certificate into the browser it is possible to use this certificate to log in to CATS.

Though this is not a real bad problem it leads to problems when uploading the results to the main CAcert database. Since the import interface (cats_import.php) only checks the table for client certificates (EMAILCERTS) it cannot find server certificates and therefor reports an error.

From the logic behind the system CATS expects a certificate to identify a person, not a server, so the most consistent way to fix this bug is to refuse login for server certificates.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files: test.p12 (3,070 bytes) 2015-11-01 15:22
http://bugs.cacert.org/file_download.php?file_id=411&type=bug
Notes
(0003786)
Ted   
2013-03-03 22:19   
(Last edited: 2013-03-03 22:19)
A certificate is defined as a client certificate if it contains an "Email" field in the CN.

AFAIK all CAcert client certificates either include one of the verified email addresses or the "Single Sign On ID Information" in the Email field.

(0003787)
Ted   
2013-03-03 23:30   
Created branch bug-1149 on https://github.com/CAcertOrg/cats.git
(0005473)
Ted   
2015-10-18 14:30   
Merged the branch into testserver branch
(0005480)
Ted   
2015-11-01 15:21   
Tested with this procedure:

- Create key and CSR with: openssl req -newkey rsa:2048 -keyout test.key -subj "/CN=dummy.convey-ag.de" -out test.csr
- Created certificate with testserver, stored into test.crt
- Created importable PKCS12 file with: openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt -name "Test Certificate for CAcert bug-1149"

- Firefox 41.0.2 refused to import the certificate with unspecific error message

- Importing into Windows Certificate Storage:
  - open MMC.EXE and add plugin "Certificates" for current user
  - Goto "Own Certificates" and use right click -> All Tasks... -> Import
  - Import the test.p12 file
  - "dummy.convey-ag.de" certificate shows in "Own Certificates -> Certifictes"
- Open Internet Explorer for https://cats1.it-sls.de:14843
- When asked by Internet Explorer, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication
- Click "Login"

==> Error message is shown:

Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.

==> Correct behaviour for this kind of certififcates.

Please test also with your own browser. I added the test.p12 file (password for import is "test"), just in case you don't have the time to create your own certificate...
(0005481)
Ted   
2015-11-01 15:35   
Login works with my "usual" client certificate. Additional tests needed for other types of allowed certificates:

- "Anonymous" certificates
- Certifictes with only Single Sign On ID
- Certificate with multiple emails
(0005482)
INOPIAE   
2015-11-03 20:36   
I tested with a new created server certificate from the test server which I imported via mmc to the windows truststore.
With Chrome I was able to connect to the cats1 but this error message is shown:
Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.
=> ok
With a client certificate the login worked perfectly.
=>ok

=>ok
(0005483)
MartinGummi   
2015-11-03 21:38   
Using Ted's openssl commands

- Create key and CSR
- Created certificate with testserver
- Created importable PKCS12 file
- Import to Iceweasel 41.0.2
- Open Iceweasel 41.0.2 for https://cats1.it-sls.de:14843 [^]
- When asked by Iceweasel, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication
- Click "Login"

==>Show Error
Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.

=>OK
With a client certificate with email Address, login worked perfectly.
=>OK

OK
(0005484)
StefanT   
2015-11-04 20:49   
-Using user paul.panter@pink.org at testsystem
-Created Server certificate for www.looney.org
-Imported certificate into user-certificate-store
-Started EDGE
-Start https://cats1.it-sls.de:14843/
-Site was displayed => OK

=> There was client certificates only listed for auth-seletion. => OK

Login with client certificate was possible without errors => OK
(0005485)
StefanT   
2015-11-04 20:54   
-Using user paul.panter@pink.org at testsystem
-Created Server certificate for www.looney.org
-Started Firefox
-Imported certificate into firefox 42
-Start https://cats1.it-sls.de:14843/ [^]
-Site was displayed => OK

=> Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person. => OK

Login with client certificate was possible without errors => OK


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1393 [Main CAcert Website] my account minor have not tried 2015-07-28 15:29 2015-10-24 16:31
Reporter: INOPIAE Platform:  
Assigned To: felixd OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q3  
Reviewed by: BenBE
Test Instructions: Try to ping a domain that is not reachable for an email ping or cause other issues. Test the success case gives no transcript.
Summary: Provide transcript for email ping (on error)
Description: If the email ping is not successful, give the user a better information why it did not work.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005439)
felixd   
2015-07-28 19:55   
A patch is here:

https://github.com/yellowant/cacert-devel/tree/bug-1393
(0005455)
INOPIAE   
2015-08-25 20:11   
(Last edited: 2015-08-25 20:33)
I tried to create a new account with an email address with a non existing domain:
I get the follwing error message:
Processing email address:
- Domain Name: xxxxxx.eu
- Mailbox Name: m
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'xxxxxx.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'xxxxxx.eu' with priority 0

Starting test for id 0 for host 'xxxxxx.eu'
- Trying to connect to 'tcp://xxxxxx.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

=> ok

I tried to add an email address with a non existing domain to an existing account:
I get the follwing error message:
Processing email address:
- Domain Name: xxxxxx.eu
- Mailbox Name: m
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'xxxxxx.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'xxxxxx.eu' with priority 0

Starting test for id 0 for host 'xxxxxx.eu'
- Trying to connect to 'tcp://xxxxxx.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

=> ok

I tried to add a non existing domain to an existing account:
I get the follwing error message when trying to select one of the addresses suggested mails:
Processing email address:
- Domain Name: xxxxxx.eu
- Mailbox Name: m
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'xxxxxx.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'xxxxxx.eu' with priority 0

Starting test for id 0 for host 'xxxxxx.eu'
- Trying to connect to 'tcp://xxxxxx.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

=> ok

adding an email address with an existing domain works without error message.
=> ok

=> ok

(0005479)
GuKKDevel   
2015-10-22 15:52   
(Last edited: 2015-10-24 16:31)
1 tried to create an account

1.1 with nonexisting TLD

Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid

Processing email address:
- Domain Name: plofre.tramp
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.tramp' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.tramp' with priority 0

Starting test for id 0 for host 'plofre.tramp'
- Trying to connect to 'tcp://plofre.tramp:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Name or service not known
None of the email servers could be reached

==> OK


1.2 with nonexisting Domain

Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid

Processing email address:
- Domain Name: plofre.eu
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.eu' with priority 0

Starting test for id 0 for host 'plofre.eu'
- Trying to connect to 'tcp://plofre.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Name or service not known
None of the email servers could be reached

==> OK


1.3 with nonexisting Subdomain

Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid

Processing email address:
- Domain Name: plofre.cacert.org
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.cacert.org' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.cacert.org' with priority 0

Starting test for id 0 for host 'plofre.cacert.org'
- Trying to connect to 'tcp://plofre.cacert.org:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Name or service not known
None of the email servers could be reached

==> OK


1.4 with nonexisting Emailaccount gucky@cacert.org

Your information has been submitted into our system. You will now be sent an email with a web link,
you need to open that link in your web browser within 24 hours or your information will be removed from our system!

==> OK


2. add adress to assurer-account

2.1 with nonexisting TLD

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: Plofre.Tramp
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'Plofre.Tramp' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'Plofre.Tramp' with priority 0

Starting test for id 0 for host 'Plofre.Tramp'
- Trying to connect to 'tcp://Plofre.Tramp:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


2.2 with nonexisting Domain

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: plofre.eu
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.eu' with priority 0

Starting test for id 0 for host 'plofre.eu'
- Trying to connect to 'tcp://plofre.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


2.3 with nonexisting Sub-Domain

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: plofre.cacert.org
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.cacert.org' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.cacert.org' with priority 0

Starting test for id 0 for host 'plofre.cacert.org'
- Trying to connect to 'tcp://plofre.cacert.org:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


2.4a with nonexisting Emailaccount gucky@cacert.org

Die E-Mail-Adresse 'gucky@Cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

=======> needs controll after 24 hours.


Controll:

Die E-Mail-Adresse 'gucky@Cacert.org' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können, müssen Sie den Link,
der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

==> OK


2.4b with nonexisting Emailaccount gucky1@cacert.org

Die E-Mail-Adresse 'gucky1@cacert.org' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können, müssen Sie den Link,
der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

==> OK



3. add adress to assured-account

3.1 with nonexisting TLD

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: plofre.Tramp
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.Tramp' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.Tramp' with priority 0

Starting test for id 0 for host 'plofre.Tramp'
- Trying to connect to 'tcp://plofre.Tramp:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


3.2 with nonexisting Domain

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: plofre.eu
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.eu' with priority 0

Starting test for id 0 for host 'plofre.eu'
- Trying to connect to 'tcp://plofre.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


3.3 with nonexisting Sub-Domain

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: plofre.gukk.eu
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.gukk.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.gukk.eu' with priority 0

Starting test for id 0 for host 'plofre.gukk.eu'
- Trying to connect to 'tcp://plofre.gukk.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


3.4a with nonexisting Emailaccount gucky@cacert.org

Die E-Mail-Adresse 'gucky@Cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

=======> needs controll after 24 hours.
see 2.4a

3.4b with nonexisting Emailaccount gucky1@cacert.org

Die E-Mail-Adresse 'gucky1@cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

=======> needs controll after 24 hours.


Controll:

Die E-Mail-Adresse 'gucky1@cacert.org' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können, müssen Sie den Link,
der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

==> OK


3.4c with nonexisting Emailaccount gucky@gukk.eu

Die E-Mail-Adresse 'gucky@gukk.eu' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können,
müssen Sie den Link, der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

==> OK


4. add adress to notassured-account

4.1 with nonexisting TLD

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: plofre.Tramp
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.Tramp' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.Tramp' with priority 0

Starting test for id 0 for host 'plofre.Tramp'
- Trying to connect to 'tcp://plofre.Tramp:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


4.2 with nonexisting Domain

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: plofre.eu
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.eu' with priority 0

Starting test for id 0 for host 'plofre.eu'
- Trying to connect to 'tcp://plofre.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


4.3 with nonexisting Sub-Domain

Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

Processing email address:
- Domain Name: plofre.gukk.eu
- Mailbox Name: Gucky
Determining MX records for mail delivery:
- DNS lookup for MX records failed
- Defaulting to MX = 'plofre.gukk.eu' at priority 0
Building priority queue for test of servers:
- Will test server id 0 at host 'plofre.gukk.eu' with priority 0

Starting test for id 0 for host 'plofre.gukk.eu'
- Trying to connect to 'tcp://plofre.gukk.eu:25' ... FAILED
- Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
None of the email servers could be reached

==> OK


4.4a with nonexisting Emailaccount gucky@cacert.org

Die E-Mail-Adresse 'gucky@Cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

=======> needs controll after 24 hours.
see 2.4a

4.4b with nonexisting Emailaccount gucky1@cacert.org

Die E-Mail-Adresse 'gucky1@cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

=======> needs controll after 24 hours.
see 3.4b

4.4c with nonexisting Emailaccount gucky@gukk.eu

Die E-Mail-Adresse 'gucky@gukk.eu' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

=======> needs controll after 24 hours.


Controll:

Die E-Mail-Adresse 'gucky@gukk.eu' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können, müssen Sie den Link, der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

==> OK

4.4d with nonexisting Emailaccount plofre@gukk.eu

Die E-Mail-Adresse 'plofre@gukk.eu' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können,
müssen Sie den Link, der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

==> OK



all results conflated

==> OK



View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1382 [Main CAcert Website] minor always 2015-05-05 05:00 2015-10-23 10:57
Reporter: INOPIAE Platform:  
Assigned To: BenBE OS:  
Priority: normal OS Version:  
Status: needs review Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions: Check with an Org Assurer Account if all domains show valid entries in organisation overview (account/25.php) that corrospondent to the single entries. Only account with id 311 shows no entires,
Summary: Missing name entries if organisation name contains special characters on Organisation overview
Description: All names of an organisation containg special characters are not displayed on account/25.php
Tags:
Steps To Reproduce:
Additional Information: Line 66
<td class="DataTD"><?=htmlspecialchars($row['O'])?>, <?=htmlspecialchars($row['ST'])?> <?=htmlspecialchars($row['C'])?></td>
Attached Files:
Notes
(0005381)
felixd   
2015-05-05 20:28   
Fix is available here: https://github.com/yellowant/cacert-devel/tree/bug-1382
(0005388)
MartinGummi   
2015-05-10 20:35   
Login with an OrgAssurer Account

List looks good

The Organisation with an umlaut (add by me at 2015-05-08) looks good

==> ok
(0005395)
Eva   
2015-05-19 19:18   
When looking at the organisation list as an org assurer only one entry looks as if something is not displayed correctly (it only shows a ",").

I was told by someone with access to the database that this is exactly as it is based on what is written in the database for that organisation.

I added a new one with multiple umlauts (%&öüä€ Umlaut name .,-§%, Name DE) it is displayed corect.

==> OK


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1042 [Main CAcert Website] source code minor have not tried 2012-05-31 03:50 2015-10-20 21:17
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions: https://bugs.cacert.org/view.php?id=1042#c5383
Summary: Review the code regarding the new point calculation
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005383)
felixd   
2015-05-05 21:59   
(Last edited: 2015-06-02 20:03)
Test Instructions:

to create new test accounts please look at https://wiki.cacert.org/Software/TestTeam/WelcomePack/02-CreateAccounts as the test management server shows some strage behaviours with the batch assurances and the adminsitrative increase.

General fix in points calculation:
Experience points are not counted as "points" where this is appropriate (e.g. checking if someone is an assurer).
This situation might arise as the following.
An user receives 100 points and passes CATS.
An user assures some people receiving experience points.
An assurance to that user (one of the 100 points) gets deleted, so that his assurance + experience points are still over 100, e.g.:
90 assurance points + 10 experience points = 100 points.

the user now may for example not assure others.

Or a user with 40 assurance + 10 experience points may not include his name in certificates.


Check that the following actions still work:
- Create a certificate (client or server) and check that it is issued with the correct validity period (with respect to more or less than 50 points).
- the correct number of max assurance points is displayed when assuring someone (checking that two values are correct should suffice)
- the assurer flag gets set and unset correctly
- the 3 texts on account/55 (your trainings): "are assurer" "have 100 points but need test", "have passed challange but need 100 points" are displayed correctly. (100 points are only 100 assurance points, please test that experience points do not count here)
- only 'real' (see 'General fix') assurers are listed in wot/1
- only listed 'real' assurers may be sent contact mails through wot/9
- stats work calculate the points (now) correctly (see 'General fix')
- "api/ccsr.php" and "api/cemails.php" are removed.
- the mail sent to assurees is correct:
   no 'rounding down' anymore
   you have now 'x' assurance points in total (with x also beeing > 100)


A complete check of all other features might be appropriate as well.

If you delete an assurance in the SE console please make sure that you delete the corresponding "Expierence Points" assurance aswell. Otherwise the calculation of the Total assuracance points in the SE console will not be correct.

(0005389)
INOPIAE   
2015-05-12 19:50   
(Last edited: 2015-05-12 19:54)
Created account.
Added 49 assurance points via test mgr
Created client cert:
no class 3 selection => ok
duration 3 days => ok
become assurer

added assurance with 35 points via normal assurance
mail 35 points added you have now 35 points. => false should be 84 points
my points wot/10 shows 49 point => false should be 84 points
my points wot/15 shows 84 points => ok
SE interface shows 49 points => false should be 84 points
SE points wot/10 shows 49 points => false should be 84 points
SE points wot/15 shows 84 points => ok
created client cert:
class 3 enabled => ok
duration 3days => false should be 1 week
become assurer

stop testing until errors are fixed

(0005396)
Eva   
2015-05-19 19:37   
I do not see that the big bunsh of entries are testable in a sensible manner so that it is documented in an understandable way. Protests against this combination of so many things into one bug-entry, especially when it is about as substancial things as assurances (and a lot of other things)

Please find another way how this tests should be done.
(0005397)
BenBE   
2015-05-19 20:01   
The way these tests are handled is the only sensible one even if the bugs were split originally for review purposes. Re-combining the bugs was done on purpose as duplicating tests would have been much more trouble in regards to documentation as changes in one dependent bug/patch might introduce changes on a completely different location. Also: You were one of the people complaining to not want to test the whole system (range of effects single changes in this patch set) for every patch (result of not combining the test) in the patch set.

Furthermore: If we were not to test this change at all we wouldn't get any change of it online. There were similar patches like this in the past and while testing took some time to review the whole system (and yes, with the current software that is sometimes the only way) it has been managed.

Nobody forces you to test this patch. If you feel like you can't cope: Don't do it.

Testing is voluntary for the testers, yet compulsory for getting a change set into production. It's much preferable if the testers are confident in what they do instead of complaining.

This said: Tests can usually be split at the boundaries of the bugs while keeping in mind the features from other bugs they depend on. This can be roughly seen from the way the merges were performed while combining the change sets for this issue (some issues are merged explicitly into foreign branches despite them being merged into this bug anyway).
(0005398)
Eva   
2015-05-19 20:16   
If there is such a big bug and big patch there should be at least one (if not multiple) descirptions of what is done on a "use case" or comparable level. Something that describes for someone not deeply into the software what this is all about. This is even the case if it should not lead to any visible changes.

Currently there are only quite random thing listed, that seem to belong to different original bug entries.

I do not complain about that "everything" needs to be tested. That is something that needs to be done, now and again.

But this "everything" cannot be actually everything as one would need indefinite time to do this. So one has to focus on something. To be able to do so one has to do this with the specific kind of change in mind. It is definitly not enough to only concentrate on those points that the coder has touched, as our tests are specificly done to find side effect of those changes, especially those that the coder did not have in mind.

So instead of more or less giving a list of changes test-instructions and/or bug descriptions should be done on a different level.

Also most big features can normally be split to smaller ones. It would be good to be able to focus on those with the tests, even if one would have to do the complete test multiple times.
(0005401)
INOPIAE   
2015-05-27 05:37   
(Last edited: 2015-06-02 20:30)
I created a new account.
Via TMS gave 100 AP and CATS
Started assuring
With the 6th assurance the max points stayed with 10 points.
=> fail

(0005402)
felixd   
2015-05-27 08:40   
We tested and live-fixed that bug on another testsystem. The resulting commit is here:

https://github.com/yellowant/cacert-devel/commits/bug-1042
(0005403)
INOPIAE   
2015-06-02 20:37   
(Last edited: 2015-06-02 20:39)
I created a new account.
Via TMS gave 100 AP and CATS
Started assuring
The system shows for each successful 5 assurance the increase of the max points correct. => ok
After 25th assurance the max. point is on 35 points max. => ok
I deleted one assurance and the corresponding "Expierence Points" assuracne.
The the totals are correct. => ok
The max. points droped to 30 points max. => ok.
Adding a new assurance come back to 35 points max. again. => ok

(0005404)
janmaco   
2015-06-06 10:52   
Generated a user and gave him 100 AP and CATS.
Generated 24 users and let the user assure each of them.
Maximum points to assure increases in the correct interval => OK
User got 50 EP and is now able to assure up to 35 AP => OK
Removed one assurance, the user made -> The user can only assure 30 AP => OK
Removed one assurance the user got -> The user isn't able to assure anyone AFTER RELOGIN (this is kind
 of "fatal", but is not part of this bug) => OK
Reassured user -> user is able again to assure up to 30 points => OK
Assured another user -> got 2 EP -> user has 150 points and is able to assure 35 points => OK

Revoked all assurances the user got (still has 50 EP (_NOT_ AP)) -> generated client cert including name
 using SPKAC -> name included => FAIL/WARN: Discuss which behavior is correct...
In the same scenario, only short validity periods are possible (so at least the signer seems to work
 correctly here) => OK

Mails to assurees displayed correctly => OK

An Assurer who isn't assurer anymore by revoked assurances the user got isn't listed as assurer to others
 => OK
An Assurer who isn't assurer anymore by revoked assurances the user got (but still has 50 AP and 50 EP
) isn't listed as assurer to others => OK
An Assurer who isn't assurer anymore by revoked assurances the user got (but still has 50 AP and 50 EP
) isn't listed as assurer to others and can't be mailed by changing the id in the GET-param, but the
 contactform with the name appears (not this bug) => OK

api/cemails.php isn't present => OK
api/ccsr.php isn't present => OK

=> (OK, may need discussion)
(0005405)
felixd   
2015-06-06 16:38   
(Last edited: 2015-06-06 16:39)
I patched the code that calculates the 'overall points' (459292a) to only include exp. points, if there are 100 assurance points.

this should fix "name included => FAIL/WARN: Discuss which behavior is correct"

(0005406)
lucasw   
2015-06-06 17:20   
(Last edited: 2015-06-10 13:56)
I performed a test.

- Created user. Gave user three full assurances (100 AP).
  Gave user CATS. Assured 26 people.
  This was done by Felix using his script.
  That script always attempted to give 35 points;
  the software correctly truncated this to 5x10, 5x15, 5x20, 5x25, 5x30 and finally 1x35 points.
- Enabled the “Support Engineer” flag to be able to delete assurances.
- Revoked two assurances by the user. Now user has 48 EP.
- Attempted to re-assure the first of those users. Entered 35 AP.
  System displayed a maximum of 30 AP, and only 30 AP were granted.
- Attempted to re-assure the second of those users. Entered 35 AP.
  System displayed a maximum of 35 AP, and all 35 AP were granted.
- Created client cert, valid for 1 month.
- Revoked two of the assurances to the user. 87 points total, but only 35 AP.
- Created client cert, only valid for 3 days.
- Attempted to assure someone. Got error: User passed Assurer Challenge, but still needs 100 AP.
- Gave one more assurance to user and revoked one of the “Administrative increases” (2 EP from one of the assurances).
  120 points total, but only 70 AP.
- Attempted to assure someone. Entered 35 AP.
  System displayed a maximum of 0 AP, and only 0 AP were granted.
  (Note the difference to above, where user wasn’t able to assure at all.)
- Set my location, searched for assurers around that location.
  User was not listed.
- Logged out and logged in again.
- Attempted to assure someone. Menu item not present, but page reachable by entering URL manually.
  Entered 35 AP. System displayed a maximum of 0 AP, and only 0 AP were granted.
- felixd pushed two patches: Commits 99265c8 and 0adfd09.
- Gave two more assurances to user, revoked one of them.
  150 points total, 105 AP.
- Attempted to assure someone. Entered 35 AP.
  System displayed a maximum of 35 AP, and 35 AP were granted.
- Revoked one assurance to the user.
  120 points total, but only 70 AP.
- Accidentally logged out. Logged in again.
- Attempted to assure someone. Menu item not present.
  When entering URL manually, got error: User passed Assurer Challenge, but still needs 100 AP.
- Gave two more assurances to user, revoked one of them.
  150 points total, 105 AP.
- Began attempting to assure someone. Entered 35 AP.
  System displayed a maximum of 35 AP.
- Revoked one assurance to the user.
  120 points total, but only 70 AP.
- Attempted to complete the started assurance (see above; separate browser tab).
  Got error: User passed Assurer Challenge, but still needs 100 AP.
  The menu item is also hidden.

SUMMARY: With AP<100, but AP+EP>=100, the system used to allow issuing 0-point assurances (though after a relogin, the menu item was hidden).
This was fixed by felixd.
I am not aware of any further bugs related to this issue.

2015-06-10T15:53+0200 Edit: Felix asked me to check the additional commits 5ab9a73 and eadb033.

- Opened System Admin panel. Offers Revoke link. OK.
- Opened Account History panel. Shows revocation info. OK.
- Opened My Points panel. Does not show revocation info (neither old nor new calculation). OK.
- Removed Support Engineer flag from account. Logged out and logged in again.
- System Admin menu not present. Attempted to access it via URL. Got error. OK.
- Opened Account History panel. Shows revocation info. OK.
- Opened My Points panel. Does not show revocation info (neither old nor new calculation). OK.

Seeing as the commits only touched output code, I see no need to repeat the original test.

(Also available at https://lucaswerkmeister.de/cacert-1042.md, signed at https://lucaswerkmeister.de/cacert-1042.md.gpg)

(0005407)
INOPIAE   
2015-06-09 20:40   
(Last edited: 2015-06-09 21:26)
Create new account 1042.a@acme.com
Added 49 points via TMS
Created client cert, duration 3 days => ok
Created server cert, duration 3 days => ok
Added 1 AP, total 50 AP
Created client cert, duration 1 months => ok
Created server cert, duration 1 months => ok
GPG certs available => ok
Revoked the assurance 1 AP, total 49 AP
Certificates were not revoked, is this needed here?
Created client cert, duration 3 days => ok
Created server cert, duration 3 days => ok
GPG certs not vailable => ok
GPG.php?id=0 and id=2 redirected to account.php => ok
Added 35 AP and 15 AP, total 99 AP
Created client cert, duration 1 months => ok
Created server cert, duration 1 months => ok
GPG certs available => ok
Added code signing flag to account (should not be granted)
Client cert does not show the code signing option => ok
Added 1 AP, total 100 AP
Client cert does not show the code signing option => ok
Cannot assure => ok
Added CATS
Client cert shows the code signing option => ok
Cannot assure. After relogin can assure => ok
Assured 1 user with 10 points => ok
Revoked 1 AP, total 99 AP
Assure someone gives warning an no assurer option => ok
direct call of wot.php?id=5 shows same behaviour => ok
Client cert does not show code signing option => ok
In SE console Assurance Points shows 99 AP => ok
Added 1 AP, total 100
user is able to assure again => ok
Client cert shows the code signing option => ok
Added 5 more assurance 12 EP in total
Set location and allow my listing
User listed in Find Assurer with 15 AP => ok
Revoked 1 AP assurance, 99 AP in total
Assure someone gives warning an no assurer option => ok
direct call of wot.php?id=5 shows same behaviour => ok
Client cert does not show code signing option => ok
User not listed in Find Assurer => ok
Added 1 AP, total 100
user is able to assure again with 15 AP => ok
Client cert shows the code signing option => ok

mails to the assuree always show the desired behaviour => ok

=> ok

(0005418)
Eva   
2015-07-12 20:51   
Arbitration notice from Arbitrator of a20140126.1:
This bug should not go productive until a question raised in the case related to this bug is answered and a possible issue is clarified.

Hopefully no issue will be detected and the block can be removed, soon.
(0005469)
Ted   
2015-10-15 21:21   
(Last edited: 2015-10-15 21:24)
Commit 345eb2e771f6475e243f406fe37c41933a520c11 vs. eadb03311454c5dc6234c45a76eb5943612568e0?

All line numbers reference the files from eadb03311454c5dc6234c45a76eb5943612568e0?.


==============
|REVIEW FAILS|
==============

includes/notary.inc.php
=======================


function revoke_assurance and recalculate_old_assurance_points, lines 2213 and 2232:
The LIMIT clause should be removed, or a comment added why it is needed.

The LIMIT clause is not a standard SQL clause and redundant to the primary key constraint here. If there are
multiple primary keys in this table we're in deep trouble, regardless whether one or all rows are updated...


www/wot.php
===========

Line 417:

if(($drow_points + $awarded) >= 100 && $drow_points < 0 && !is_assurer(intval($_SESSION['_config']['notarise']['id'])) )

Am i completely stupid? Shouldn't this read "&& $drow_points > 0"??? As I see it, $drow_points will never be below zero!
Correct this, or explain me that I'm wrong...

==============
|Minor issues|
==============

CommModule/client.pl
====================

Line 444:
- Why is the expired data field ignored here? It was ignored before, but as I see it expired notaries should not be counted here.


includes/lib/account.php
========================
Lines 52 and 85:

Why "AND `n`.`from` != `n`.`to`" clause? It should not hurt, but how can "from" be equal to "to"?

pages/account/55.php
====================
Why "AND `n`.`from` != `n`.`to`" clause, see above?


includes/lib/general.php
========================

Lines 146ff:

Old code was explicitly false when handling temporary points ("AND `n`.`expire` < now()").
New code does not handle temporary points at all?


includes/notary.inc.php
=======================

Function get_received_experience_points, line 349:
Line "$res = get_received_assurances(intval($userid));" should be below the comment, since it is part of the logic that should be removed in the future


scripts/cron/refresh_stats.php
==============================
In several statements "expire" is not regarded.


pages/wot/1.php
===============
Statement Line 92ff, extremly ugly, see mail.


=============
|Other Notes|
=============

CommModule/readme.txt
=====================
OK


CommModule/usbclient.pl
=======================
(deleted)

According to mail from Benny the module is neither used nor supported anymore.


cgi-bin/siteseal.cgi
====================
(deleted)

According to mail from Benny, the Site Seal 7 Site Stamp feature has been deactivated for quite some time.


includes/account.php
====================
OK

includes/general.php
====================
OK



includes/loggedin.php
=====================
OK


pages/account/43.php
====================
OK


pages/wot/9.php
===============
OK. Quite ugly, but not worse than before.



scripts/cron/updatesort.php
===========================
OK

stamp/*
=======

deleted, see siteseal.cgi

www/api/ccsr.php
================

OK. API for requesting certificates removed.

www/api/cemails.php
===================

OK. API for querying own account information removed.

www/index.php
=============

OK

(0005474)
BenBE   
2015-10-18 15:08   
Regarding the review fails:

- For the first issue in includes/notary.inc.php:
If you prefer SQL-standard compliant versions you can leave this clause out. It was primarily added for defense in depth if some conditional was screwed.

- For the second issue in www/wot.php line 417:
The conditional is wrong and despite my first look at it and some more backtracing it should read ($drow_points < 100) or to quote the full line:

if(($drow_points + $awarded) >= 100 && ($drow_points < 100) && !is_assurer(intval($_SESSION['_config']['notarise']['id'])) )

Thus, given my backtracing was correct, $drow_points at that location holds the old number of points issued to the user and the condition will succeed when the user first has 100 or more points, while having fewer previously.

- CommModule/client.pl:
The handling of expired points is indeed missing and should be added to be consistent with the WebDB software. Even though there should be no affected records (no current temporary increases, no such programs defined, old records cleaned by Cronjob) it's better to be safe here.

- include/lib/general.php:
Have to revisit the code changes there to say more on this change.

- refresh_stats.php
Intentionally ignored (as with deleted entries) to make stats more self-consistent.

@Ted: You can perform the changes required; I'll revisit the modified locations for my review afterwards.
(0005475)
felixd   
2015-10-19 23:02   
(Last edited: 2015-10-20 19:03)
Regarding www/wot.php line 417:

This is indeed unclear when which part has to be sent.
I changed the conditionals to have the following meaning:
- include "you have reached 50 points..." when the assuree now has more than 50 points and hadn't before
- include "You can now become an assurer" when the assuree now has more than 100 points and hadn't before and is no assurer yet.

Regarding the LIMIT clauses:
As BenBE said, we are already heavily depending on MySQL Syntax (evey time there is a backtick quote) and using mysql-specific functions (mysql_query).
The Limit clause helps to state the programmer's intent that only one line is to be modified and thereby beneficial to make the code understandable.

As to "expires":
As BenBE already told there should be no expired records.
Handling expired records consistently would include adding this extra clause in every SQL-query touched.
As there should not be expired records, I think, that we should not try to add extra complexity in so many different locations.

The "`n`.`from` != `n`.`to`"-clauses:
All "Administrative Increase" points should be of the structure that `from` = `to`.
We want to select only "regular" assurances and adding `from` != `to` keeps us safe against data entries similar to "Administrative Increase"es.

I added a commit that changes the bad conditional:
https://github.com/yellowant/cacert-devel/commits/bug-1042

I'd say all other things are fine.

(0005476)
Eva   
2015-10-20 06:01   
Arbitration note from the Arbitrator of a20140126.1 - as stated above that case is blocking this bug. The blocking element for that case is - since over a quarter of a year(!) - the review and test for an appropriate SQL query to be able to inform affected useres about the change to their accounts/assurances (or the display of those).

As this mail has to be sent weeks prior to the installation of this bug, handle the requested SQL query with priority. There is an Arbitration request to do this for months.

The requirements about the query are quite clear.

I do not care how the query looks like, as long as the requirements are met. The current proposal from my side is:

1st:
---
SELECT count(*)
FROM `notary` AS `n`
WHERE `n`.`from` = `n`.`to`
AND `n`.`method` LIKE 'Administrative%'
AND ( `n`.`awarded` > 2 OR `n`.`points` > 2 )
AND `n`.`deleted` != 0;
---

2nd:
---
SELECT count(*)
FROM `notary` AS `n`
WHERE `n`.`from` != `n`.`to`
AND `n`.`method` LIKE 'Administrative%'
AND `n`.`deleted` != 0;

To be able to answer a question in that case, and to get an idea of the severity of the issue (and if there is a need to inform members, at all).

You may also provide another version, that also provides the Fname,
Lname and email of the assuree, for accounts that are not deleted and
any other parts which may be required to inform a member via a
mail-script, if you regard it to be likely that there are affected members.

As already stated, you may also provide different queries, that match the requirements (or update the above to fix syntactic or comparable issues).

If you think that you need to know if there are recent entries of higher
administrative increases on the production system you may add a grouping
for the years of the assurances. You may also provide a version for a counter per kind of assurances if you (Benny as claimant) regard it to be relevant to check this, by adjusting the "like" or whatever is needed, or a grouping for "points/awarded", or a counter per value.

However, my requirement is, that at the time being only counts and no specific values of affected accounts are provided. (Beside of possibly a version with name and email to contact affected users, probably via automated mail-script.)

The description about what the queries should provide by Benny:
"Regarding the first statement the reason is to see if there are any
administrative increases in the database where more than 2 points were
allocated to the columns points or awarded. There should be no such
records available as the administrative increase by default should be at
most 2 points.

The second statement is to see if there are any administrative increases
in the database where the person issuing points (`from`) is not the same
as receiving them (`to`). There should be no such records available as
the administrative increase as present in the software is always set to
make `from` equals `to`."



I also place a warning against Benny here, if this is not covered, soon. If you continue to insist on queries that will provide data that was not allowed by the Arbitrator, or if you continue to reject the decision of the Arbitrator of if you continue to delay the creation and review of this query, there will be consequences. You were warned before, multiple times. There were meetings about this. There were agreements, which seem to be waved by you, already.

Also: The review of the query is a lot easier than the review of this bug, so I definitly cannot understand why it is not done.

There was already a deadline for 2015-08-26 00:00 UTC, which was not met. Then there was a meeting where you promised to cover this, ASAP. Then I got a mail that this would be covered ASAP but not within the next weeks, because you decided that you would cover Arbitration requests in an order of your likeing (arbitration number). Then there were answers to other cases, with a higher number. But the only answers I got for this case were "rejected" because you insist that more informations should be gathered, at 2015-07-12.
(0005477)
Eva   
2015-10-20 06:09   
Arbitration notice of Arbitrator of a20141024.1:
Please remove the assignement to Dirk. He is currently blocked to act as a Software Assessor, because of a decision in that case, to prevent conflicts with another role that he currently holds temporarly. The according part of the ruling is:

"Dirk is suspended from active regular Software Assessor work. He may
be active in emergency situations. (Situations where a necessary bug
cannot be installed in an acceptable amount of time, without his review.)"

The ruling can be found at: https://wiki.cacert.org/Arbitrations/a20141024.1
It was given at 2015-09-07.

Please also remove any other current assignement to Dirk for reviewing bugs that do not match the requirement of that ruling.

As this bug is currently blocked, based on an Arbitration decisions, the installation of this bug is currently not depending on a review by him.
(0005478)
Eva   
2015-10-20 21:17   
Follow up notice: Any SA should be quite careful to place review assignments on people who are not SAs. Please think about what you are doing. For once it does not make sense but it also makes it harder to get those bugs found by the people who can review those bugs. But even more any SA should prevent the idea that they are trying to get bugs reviewed by persons who are no SAs by intention. - Even if the no process would be tried, it probably should not be done by assignement. And those people should at least be familiar with PHP.

To assign bugs for review to people who are not trained or at least familiar with the software, could be understood as a security issue - done by intention.

Please be a little bit more careful what you do.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
863 [Main CAcert Website] account administration feature have not tried 2010-09-10 14:29 2015-10-20 20:15
Reporter: Uli60 Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: production  
Reviewed by:
Test Instructions:
Summary: limitation to 2 ttp assurances
Description: regarding new TTP-Assisted Assurance Policy (WIP (2010-09-10)
https://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html
system has to limit the count of ttp assurances to 2.
If someone tries to enter a TTP-assisted assurance into the system,
the system has to block this assurance or the selection
for TTP-assisted assurance needs to be disabled
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0003557)
Werner Dworak   
2012-12-23 09:25   
See error reports in bug 1112


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1023 [Main CAcert Website] web of trust minor always 2012-03-13 23:24 2015-10-20 20:15
Reporter: NEOatNHNG Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version: 2012 Q2  
    Target Version:  
Reviewed by: dastrath, NEOatNHNG
Test Instructions:
Summary: Consolidate changes into the Assure Someone page
Description: There are various changes that all have an effect on the assure someone page.

This bug tracks the rewrite to include those changes.
Tags: Assure Someone
Steps To Reproduce:
Additional Information:
Attached Files: 6.php.patch (1,323 bytes) 2012-03-14 02:34
http://bugs.cacert.org/file_download.php?file_id=253&type=bug
test 22.04.2012 12-15-55.txt (193,085 bytes) 2012-04-22 10:41
http://bugs.cacert.org/file_download.php?file_id=256&type=bug
assurtest4b.xml (42,528 bytes) 2012-04-22 10:42
http://bugs.cacert.org/file_download.php?file_id=257&type=bug
test20.05.2012 19-11-55.txt (193,084 bytes) 2012-05-20 17:35
http://bugs.cacert.org/file_download.php?file_id=259&type=bug
Notes
(0002876)
NEOatNHNG   
2012-03-14 01:07   
Changes put onto the test server. There is at least one regression introduced by the patch (the date that determines which 0-point assurances are yellow is wrong), will fix that in the next days.
(0002877)
MartinGummi   
2012-03-14 01:58   
(Last edited: 2012-03-14 01:59)
- New account 6php1(6.php Test)
- Mail ping/pong
- Automated Assurance
    # Number of points
    0 35
    1 35
    2 30
- challenge me
- logout/login
- Assure Someone

- Without ALL
A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

- With Location "Germany"
A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

I wounder automatic update Date with the same as Location
Location: Germany
Date: Germany

- With Location "Germany" and Date "Germany"
A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

- With Location "Germany", Date "Germany" and Points 10
A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

- With Location "Germany", Date "Germany", Points 10 I certify that <someone> has appeared in person
A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

- With Location "Germany", Date "Germany", Points 10 I certify that <someone> has appeared in person, I believe that the assertion of identity I am making is correct, complete and verifiable. I have seen original documentation attesting to this identity. I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute, and I may be held responsible.
ERROR: Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS.

- With Location "Germany", Date "Germany", NO Points, I certify that <someone> has appeared in person, I believe that the assertion of identity I am making is correct, complete and verifiable. I have seen original documentation attesting to this identity. I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute, and I may be held responsible.
ERROR: Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS.

ERROR: You must enter the number of points you wish to allocate to this person.

(0002884)
NEOatNHNG   
2012-03-21 00:13   
Changes have been reverted from the testserver again as the fix had some bugs that prevented assure someone from working
(0002885)
NEOatNHNG   
2012-03-21 00:22   
Patch from magu has been applied on the branch. Waiting for fix for the main problem until merging again.
(0002904)
NEOatNHNG   
2012-03-27 21:57   
Dirk fixed race condition check error. Applied to test server: please test and review.
(0002906)
INOPIAE   
2012-03-27 22:06   
(Last edited: 2012-03-27 22:40)
With a new account 100 AP and CATS passed
Assure someone
If you miss information the error messages are shown correct.
But all checkboxes are empty after the error message.
The assurance could be entered.

Account with
Method TTP:
Certify: no
Confirm assurance: no
Confirm AP: yes
Points: Empty
ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
=> ok

Certify: no
Confirm assurance: yes
Confirm AP: no
Points: Empty
ERROR: You must enter the number of points you wish to allocate to this person.
=> ok

Certify: no
Confirm assurance: yes
Confirm AP: no
Points: 35
Entered
=> ok

Certify: no
Confirm assurance: yes
Confirm AP: yes
Points: 35
Entered
=> ok

Method F2F:
Shows the same results but it should only allow the assurance if all checkboxes are set.

Method TopUP:
Is available should not be for TTP Admin
Assurance could be entered with checkbox Confirm assurance only and points

Account with Board flag
Only F2F available
Works as disered. see normal account above

Account with Admin and Board flag.
Shows TTP Admin behavior
=>ok

Account with 0 points
no assurance possible
=>ok

Account with 50 points
no assurance possible
=>ok

Account with 100 points, no CATS passed
no assurance possible
=>ok

(0002907)
INOPIAE   
2012-03-27 22:32   
TTP TOPUP is not available anymore for TTP Admin flag account
(0002908)
Uli60   
2012-03-27 22:49   
(Last edited: 2012-03-27 22:50)
user1: 100 AP, 50 EP (AP incl. Thawte points)
a. all checkboxes empty
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
b. certify yes, assertion no, AP no
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
c. certify no, assertion yes, AP no
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
d. certify no, assertion no, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
e. certify yes, assertion yes, AP no
   passes
   => ???
      Thawte points removal, revoke assurance,
      reapply (old) assurance, should be allowed with AP set to no
      ok this way
f. certify yes, assertion no, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
g. certify no, assertion yes, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
h. certify yes, assertion yes, AP yes
   passes
   => OK

date field will be overwritten by location text in error case and form reload

(0002909)
Uli60   
2012-03-27 23:05   
new round:
user1: 100 AP, 50 EP (AP incl. Thawte points)
b. certify yes, assertion no, AP no
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
h. new form with date in date field, location in location field
   certify yes, assertion yes, AP yes
   passes
   => OK
(0002910)
Uli60   
2012-03-27 23:18   
user1: 100 AP, 50 EP, ttpadmin=1, assurance method F2F
a. all checkboxes empty
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
b. certify yes, assertion no, AP no
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
c. certify no, assertion yes, AP no
   passes
   => FAIL

d. certify no, assertion no, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
e. certify yes, assertion yes, AP no
   passes
   => ???
      Thawte points removal, revoke assurance,
      reapply (old) assurance, ok
f. certify yes, assertion no, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
g. certify no, assertion yes, AP yes
   passes
   => FAIL

h. certify yes, assertion yes, AP yes
   passes
   => OK

2 FAILURES !!
(0002911)
Uli60   
2012-03-27 23:49   
(Last edited: 2012-03-27 23:59)
user1: 100 AP, 50 EP, ttpadmin=1, assurance method Trusted 3rd Parties
a. all checkboxes empty
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
b. certify yes, assertion no, AP no
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
c. certify no, assertion yes, AP no
   passes, WHITE WINDOW, no response, have to re-login
   =>
   by default ok, as user didn't appear in person before TTPassurer, only
   before TTP
   => FAILURE by White Window, 2nd test, to reproduce
   2nd test
   certify no, assertion yes, AP no
   passes
   =>
   by default ok, as user didn't appear in person before TTPassurer, only
   before TTP

d. certify no, assertion no, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
e. certify yes, assertion yes, AP no
   passes
   => ???
      Thawte points removal, revoke assurance,
      reapply (old) assurance
      can also fix old TTP assurances, ok
f. certify yes, assertion no, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
g. certify no, assertion yes, AP yes
   passes
   =>
   by default ok, as user didn't appear in person before TTPassurer, only before TTP

h. certify yes, assertion yes, AP yes
   passes
   => OK

0 FAILURES

(0002912)
Uli60   
2012-03-28 00:01   
assurer, ttpadmin=1
assure someone assurance method options are:
Face-2-Face ok
Trusted 3rd Parties ok
=> ok
(0002913)
Uli60   
2012-03-28 00:20   
user1: 100 AP, 50 EP, board=1, assurance method (no selection box avail -> OK), so F2F
a. all checkboxes empty
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
b. certify yes, assertion no, AP no
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
c. certify no, assertion yes, AP no
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
d. certify no, assertion no, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
e. certify yes, assertion yes, AP no
   passes
   => ???
      Thawte points removal, revoke assurance,
      reapply (old) assurance, ok for this
   view my points, new calculation
   assurance is entered, but assurance method is <empty>
   error reproduced, see also bug#855 report
   => FAIL

f. certify yes, assertion no, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
g. certify no, assertion yes, AP yes
   ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
   => OK
h. certify yes, assertion yes, AP yes
   passes
   =>
   view my points, new calculation
   assurance is entered, but assurance method is <empty>
   error reproduced, see also bug#855 report
   => FAIL

2 FAILURES !!
(0002934)
Uli60   
2012-04-17 21:43   
user 100 pts, cats passed

f2f assurances, checkbox settings:
000 failure => ok
x00 failure => ok
0x0 failure => ok
00x failure => ok
xx0 passed => ok
x0x failure => ok
0xx failure => ok
xxx passed => ok
(0002935)
Uli60   
2012-04-17 21:50   
user 150 pts, cats passed

f2f assurances, checkbox settings:
000 failure => ok
x00 failure => ok
0x0 failure => ok
00x failure => ok
xx0 passed => ok
x0x failure => ok
0xx failure => ok
xxx passed => ok

mypoints => ok
newcalc => ok
(0002936)
Uli60   
2012-04-17 22:02   
user 150 pts, cats passed, ttpadmin=1

f2f assurances, checkbox settings:
000 failure => ok
x00 failure => ok
0x0 passed => failure
00x failure => ok
xx0 passed => ok
x0x failure => ok
0xx passed => failure
xxx passed => ok

mypoints => ok
newcalc => ok

2 Failures
(0002937)
INOPIAE   
2012-04-17 22:05   
(Last edited: 2012-04-17 22:17)
First test:
User with following flags:
SE on
CS on
TTP on
Board off
Location on
TVerfiy off

Test 1
certify off
location empty
date empty
method TTP
assertion on
AP off
points 200
Assurance with 200 points entered => failure with points

Test 2
certify on
location empty
date empty
assertion on
Method F2F
AP on
points 200
Assurance with 200 points entered => failure no 200 no location

see 1032

(0002953)
INOPIAE   
2012-04-22 10:39   
(Last edited: 2012-04-22 10:43)
I tested with my automated test system with the following account settings:
1. 80 points, no CATS, no flags
2. 80 points, CATS, no flags
3. 100 points, no CATS, no flags
4. 100 points, CATS, no flags
5. 102 points, CATS, no flags
6. 150 points, CATS, no flags
7. 150 points, CATS, TTP admin

The test case are in assurtest4b.xml. At the end of each section there is location set to one blank (" ").

Single results see attached file test 22.04.2012 12-15-55.txt
The three reported errors are due to the missing preconditions for the assurances for accounts 1-3.
All other tests were OK.
=> PASSED under the condition that as TTP there is no distinction between F2F and TTP and for TTP the requirements are assertion set and points given.

(0002992)
NEOatNHNG   
2012-05-08 23:06   
After some fixes by Dirk I have reviewed the changes and found them acceptable. Please retest.
(0002997)
NEOatNHNG   
2012-05-20 17:18   
After a hint from Marcus I corrected a regression that results in the form always showing that you have not checked enough boxes. Please test and re-review
(0002998)
INOPIAE   
2012-05-20 17:40   
I tested with my automated test system with the following account settings (new accounts):
1. 80 points, no CATS, no flags
2. 80 points, CATS, no flags
3. 100 points, no CATS, no flags
4. 100 points, CATS, no flags
5. 102 points, CATS, no flags
6. 150 points, CATS, no flags
7. 150 points, CATS, TTP admin

The test case are in assurtest4b.xml. At the end of each section there is location set to one blank (" ").

Single results see attached file test20.05.2012 19-11-55.txt
The three reported errors are due to the missing preconditions for the assurances for accounts 1-3.
All other tests were OK.
=> PASSED under the condition that as TTP there is no distinction between F2F and TTP and for TTP the requirements are assertion set and points given.

I also did a few manual tests.
When doing the first assurance the current date prefilled into the date field.
For the next assurance it stays.
If I change the date to another value and do a third assurance the date from the last assurance is prefilled. => OK
(0003000)
INOPIAE   
2012-05-22 23:23   
Please do the final review and tell Michael to move it to production.
(0003003)
NEOatNHNG   
2012-05-22 23:31   
Fixed another regression in today's Software Assessment meeting and adjusted the explanation for the now pre-filled date field. The two tests above already took that into account.

Please do a second review
(0003024)
NEOatNHNG   
2012-05-29 22:18   
(Last edited: 2012-05-29 22:19)
Patch has been reviewed by dirk the Software Assessment meeting. Mail will be sent to critical admins.

(0003025)
wytze   
2012-05-30 17:52   
The patch has been installed on the production server on May 30, 2012. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2012-05/msg00004.html
(0003814)
Uli60   
2013-03-12 22:37   
apply new assurance methode TTP (starting 2013)
(0003815)
Uli60   
2013-03-12 22:40   
updates under 0001112 requires update on points counts calculation
for new assurance method TTP-assisted-assurance (new program starting 2013)


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
920 [Main CAcert Website] account administration major always 2011-04-10 23:52 2015-10-20 20:15
Reporter: Uli60 Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: Ted, NEOatNHNG
Test Instructions:
Summary: error "First and/or last names were blank." conflicts with International Requirements (eg Indonesian Names (Givenname only))
Description: https://lists.cacert.org/wws/arc/cacert/2011-04/msg00009.html
https://lists.cacert.org/wws/arc/cacert/2011-04/msg00010.html
https://lists.cacert.org/wws/arc/cacert/2011-04/msg00011.html
https://lists.cacert.org/wws/arc/cacert/2011-04/msg00012.html
Tags:
Steps To Reproduce:
Additional Information: [BH] A friend of mine is Indonesian and she has two names with none of them
is a family name. All her siblings have two totally different names. Her
father has only one single name. If they want to open up a CAcert
account [1], they won't be able, since you need to key in a first and a
family name.
So I checked the "Practice on Names" Page [2] but could not find any
transition. On Wikipedia [3] I read some interesting information how
countries deal with this issue: Either they use a place holder (LNU [4]
(US), Onbekent (NL)) or they double the the given name and use it than
both as first and family name. In Indonesia, official documents only
contain the names given to a person.

[IG] You're probably all aware by now (from ATEs :) of the impact of Assurance Policy's Assurance Statement which creates a balance between the member *in the community* ,and the labels (names) attached *to that member* . This document envisages that western naming conventions and legal assumptions are not universal and may not even be translatable outside the European tradition.

In short there is no difficulty from a policy perspective moving to two given names rather than first & last name.

Implementation however is a different story. The BirdShack team took the view that the name (implementation) field should be a single long string rather than dividing up into first, middle, last, pre-title, post-title, and variations. Then, AP establishes the need for multiple names, so variations are simply additional long strings, and an assurance will award Assurance Points over each long string individually.

Probably what will happen in the future is that the BirdShack idea of one long name string will be incorporated into current software at the same time as the (big) multiple names patch goes through. But that's an issue for Software Team to work through... In their time. Help there is always welcome :)
Attached Files:
Notes
(0002521)
INOPIAE   
2011-09-26 10:59   
(Last edited: 2011-09-26 18:14)
Solution could be in Line 432 of ../index.php
exchange "||" to "and"
If($_SESSION['signup']['fname'] == "" and $_SESSION['signup']['lname'] == "")

May be the error message in 435 should be adjusted as well, but here I think we could leave the old one for the time being.

In this case the error only occurs if both fields (first name and last name) are empty. This should cover all problems with haveing just one name or an artists name.
The Practice on Names and may be the AP needs to be adjustetd.

(0002582)
Ted   
2011-10-08 11:16   
Made some modifications in PracticeOnNames to clarify procedure if no "family name" can be identified.

It already allows names consisting of a single part, see the example "Bushido".
(0002583)
Ted   
2011-10-08 11:26   
For simplicity of code I'd say that a single name should go into the lname field, regardless whether it is a given or family name, and the error message should be adjusted correspondingly.

New branch bug-920 created, proposed fix checked in and installed on testserver.
(0002584)
Ted   
2011-10-08 11:35   
(Last edited: 2011-10-08 12:04)
Did some quick tests, seems to work as intended:

- Used "Join" on startpage
- All names empty: Error "Last name is blank. If your name consists only of a single part please use the last name field." ==> OK
- Only first name filled out: "Last name is blank. If your name consists only of a single part please use the last name field." ==> OK
- Only last name filled out: Accepted (account bernhard.froehlich@convey.de) ==> OK

- Logged in as Assurer
- Assured account bernhard.froehlich@convey.de
- Checked "My Points", "Assurances you issueed": Target account shown as "Ted" ==> OK

(0002597)
alex   
2011-10-12 22:53   
I know this scenario of indonesian names and indeed the given information is correct.

Place holders like "LNU" (probably Last Name Unknown) or "Onbekent" (NL) are not helpful since the name actually consists of only one name. It is different from the identification that some part is unknown. Even worse the scenario to double the name. We will have difficulties in the future when we merge the names to just one string which is - in my opinion - the best solution in this case.

Please check what is filled in into first name field e.g. in Teds case. In my opinion only valid solution is first name must be blank. Then it may be ok, if currently not 100% correct - column is called "last name" - but future-proof.
(0002610)
Uli60   
2011-10-19 23:45   
(Last edited: 2011-10-19 23:59)
please read the original report =>
Indonesian Names => Givenname only
so moving Givenname into the Surname field is not an option
a givenname is a givenname is a givenname
and not a surname or lastname (!)

To prioritize givenname or lastname from German PoV is to give the lastname higher priority, but moving to the common world PoV the givenname becomes higher priority (see sorting order in email systems)
A German IT admin writes "Cock, Thomas", an US IT admin writes "Thomas Cock"
CAcert is based on common law and is based on an international standard, so the first givenname, 2nd lastname variant is the more precise variant that should be followed.

AO

(0002618)
NEOatNHNG   
2011-10-20 19:20   
I have reviewed the changes an they're acceptable per se. There is at least one place where an email starts with "Hi $fname," which will then become "Hi ," but I think that's about acceptable. However there might be more critical places I have overlooked, this needs thorough testing.

Regarding giving the last name more priority than the first name: The sorting order depends highly on your personal feelings and changes heavily from company to company even within countries. AFAIK it's more common to call each colleague by their first name except your boss/higher management that's why often sorting by first name makes sense. Your mileage may vary by the formality of the context.

In western cultures I think there is no exception that when the context is more formal preference is given to the last name. For example you would always say "Mr. Doe" (e.g. for a teacher) "Prof. Dr. Knuth" and "President Obama" or "Chancellor Merkel" instead of "Mr. John", "Prof. Dr. Donald Ervin", "President Barack" or "Chancellor Angela".

Apart from that, the point that a given name is a given name and we maybe shouldn't mix those up may still hold. In that case we could just specify that at least one of them has to be given (there might be countries with only last names) and let the assurers figure out the rest for us. I haven't looked into whether this would cause major problems if the last name is missing somewhere in the system however.
(0002620)
Uli60   
2011-10-20 20:48   
(Last edited: 2011-10-20 21:34)
create new user:
Givenname:
Lastname: Indonesianboy
email: bug920.user1@
ca-mgr1: set assurer challenge, batch assurance 25 times
login to user bug920.user1@
my details
 - enable my listing
 - location: setting Frankfurt
 - my points: 25 assurances done
logout, login to another user
WoT find assurer:
results in: I

create new user:
Givenname: Indonesianboy
Lastname:
email: bug920.user2@
results in error
Last name is blank. If your name consists only of a single part please use the last name field.

=> fail from my PoV

references to read:
http://en.wikipedia.org/wiki/Given_name
http://en.wikipedia.org/wiki/Mononym#Countries_where_mononyms_are_normal
http://en.wikipedia.org/wiki/Surname


login bug920.user1@
100 assurance points, 50 experience points

new client cert
does not allow to select a name => No Name
E = bug920.user1@...
CN = CAcert WoT User
=> fail

Email rcvd:
-------------------------------------------------------------------------
Hi ,

You can collect your certificate for bug920.user1@... by going to the following location: ...
-------------------------------------------------------------------------

(0002704)
Ted   
2011-11-17 23:04   
So, what's the proposal? Should a single name go into fname or is the user free to choose?

BTW, it's hard for me to see the relevance, since on the CAP form, as well as in the Assurance web application it's not possible for an Assurer to decide if a single name is entered in the fname or the lname field!

I'd accept Michael's point that using fname as the compulsary field will save us some (minor) problems elsewhere.
(0002705)
INOPIAE   
2011-11-19 07:59   
I just tested the creation of a new user with a single name:
Only first name entered => Error message => OK
Only last name entered => Account created => OK

TMS Granted 50 points
Try to create a new certificate, no choice to choose name for certificate
Changed as SE to only first name => accepted => should not be allowed
Try to create a new certificate, no choice to choose name for certificate
Changed as SE to first and last name
Try to create a new certificate, choice for name is given

Try to create an account where first and last name are the same => account created
Should in this case not at least an notification that both entries are the same. I am not quite sure if there is the posibility to hav ethe same first and last name. I know under German law it is not allowed but that not international.

What should be done if we change to any proposal to allow just one name is to point out the users, where to place the single name and that he is only allowed to enter personal data and not company names.
(0002812)
Uli60   
2012-01-30 23:37   
documentation from Software-Assessment project team meetings Dec 2011, Jan 2012

  1. [[https://bugs.cacert.org/view.php?id=920|bug 0000920]] Join - single name only (eg Indonesian)
   * details under bug number
   * presented to Policy Group
   * first results from policy group?
    * dirk has made some changes in 6.php last year
    * there are 4 possible choices:
     1. givenname
     1. lastname (as current fix)
     1. givenname or lastname
     1. brians proposal, mononym + checkbox
    * dirks proposal:
     * make name handling more AP conform (1 line names, multiple names)
    * 2 possible paths:
     1. allow multiple names (dirks proposal) is massive change (long term change)
     1. "simple" solution (short term change)
    * global re-design
     * eg users view
     * 43.php, multiple views
(0002813)
Uli60   
2012-01-30 23:39   
# dirk has made some changes in 6.php last year
# there are 4 possible choices:

   1. givenname
   2. lastname (as current fix)
   3. givenname or lastname
   4. brians proposal, mononym + checkbox

# dirks proposal:

    * make name handling more AP conform (1 line names, multiple names)

# 2 possible paths:

   1. allow multiple names (dirks proposal) is massive change (long term change)
   2. "simple" solution (short term change)

# global re-design

    * eg users view
    * 43.php, multiple views


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
988 [Main CAcert Website] web of trust feature N/A 2011-09-30 12:29 2015-10-20 20:14
Reporter: Uli60 Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: BenBE
Test Instructions:
Summary: TTP CAP form deployment
Description: current deployment of TTP-assisted-assurance process
defines that ttp-assuree sends a request for ttp-assisted-assurance
to support@c.o that gets moved into the ttpadmins queue or forwarded
into ttpadmins mailing list
one of the appointed ttpadmins picksup the request and prepares
a ttpcap form given by the users email address (to be the
ttp-assurees primary email address of the yet created user account)

the info from assuree + infos about ttpadmin (postal address) will be inserted into the ttpcap form and offered to be printed to pdf by the ttpadmin
ttpadmin sends the prepared pdf ttpcap form to the requesting assuree
who now prints out the pdf and visits a TTP
the TTP now sends the prepared and filled out ttpcap to the postal address given with the ttpcap form
the ttpcap received by the ttpadmin is now the basis of the ttp-assisted-assurance

Tags:
Steps To Reproduce:
Additional Information: the proposed procedure has some advantages and some disadvantages
advantages:
 - the country of the user can be checked (ttp allowed country?)
 - the user account can be checked against existing ttp assurances
   (2nd, 3rd ttp-assisted assurance?) and the process can automaticly
   can display warnings to the ttpadmin if the requirements aren't fulfilled
 - the users data is inserted into the ttpcap as entered into the
   CAcert online account including used primary email address
 - process does not need a check by the TTP to request for the primary email
   address of the user

disadvantage:
 - users data (name, dob, primary email) is disclosed to the ttpadmin
   before the assurance process starts (request for assurance is only given
   by email, not signed on paper at this stage of the process)
   signed paper will be later received by the ttpadmin

Attached Files: bug988-20111001.zip (65,210 bytes) 2011-10-01 14:37
http://bugs.cacert.org/file_download.php?file_id=243&type=bug
Notes
(0002562)
Uli60   
2011-10-01 14:43   
(Last edited: 2011-10-01 14:55)
sneak preview (case study) for ttpcap deployment
(includes current changes related to wot.php and account.php active on testserver)
to be used on a local developers testserver image only
/includes/account_stuff.php
  that replaces a) ttp info -> /pages/wot/4.php
  that adds new submenue under WoT b) ttpcap -> /pages/wot/16.php
  links

ttpcap preparation:
starts in
/pages/wot/16.php
  transfers to
/pages/wot/17.php
  and continues in
/www/wot.php
  and finishes with
/www/ttpcap.php (includes(/www/ttpcapus.php)

helper functions from:
 /includes/account.php
 /includes/wot.inc.php

multiple ttp assurance methods I've added for debugging purpose only
"TTP assisted assurance #1", "TTP assisted assurance 0000002", "TTP assisted assurance #n", "TTP TOPUP"
for production method has to be limited to
"TTP assisted assurance" and "TTP TOPUP" (or similiar naming) only

(0003922)
INOPIAE   
2013-04-26 08:05   
I applied a fix to the github:
https://github.com/INOPIAE/CAcert/commit/1cd4426c33f0a624a7c652e69f9ead156bd35764
(0004317)
INOPIAE   
2013-09-14 12:10   
I applied a new fix to https://github.com/INOPIAE/CAcert/commit/2663878967145d97ab2178fbdea69a92b246aef2
(0004320)
INOPIAE   
2013-09-14 16:55   
I applied a new fix to https://github.com/INOPIAE/CAcert/commit/a188b3b6a45b9ed44c571ccd079753546a2317c3
(0004325)
INOPIAE   
2013-09-14 21:27   
I applied a new fix to https://github.com/INOPIAE/CAcert/commit/3d413c4275e8ae070bbad57c484a09d35265064d
(0004339)
Uli60   
2013-09-17 22:28   
login assurer with TTPadmin flag set
step 1:
- WoT - Assure Someone
at bottom of page: show TTP CAP details
opens new page -> ok

(instructions for TTP admins under
https://wiki.cacert.org/TTP/TTPadmins#task1 created)

fill lines1..lines5 with full postal address (incl. name!) -> ok
select country the assuree comes from -> currently 4 -> ok
click [create TTP CAP pdf file]
=> ok

PDF: page 1 - full addr -> ok
=> ok

page 2: CAcert postal addr -> ok
root cert fingerprints -> ok
line 7. text -> (http://www.cacert.org/policy/CAcertCommunityAgreement.php)
         plz change to .html (according to bug 1131)
=> one minor fix required

page 3:
line 1: Cacert.org (lower a -> upper A) => typo
line 3: same => typo

top 4 ... As the Practice on Names policy ...
        PoN is a guide / document

top 17 inster => insert (typo)
=> minor typos

page 4 (CCA)
CAcert postal addr -> ok
roots fingerprints -> ok

page 6 (CCA cont. (cca page 3))
CPS link .php -> .html (according to bug 1131)
DRP link .php -> .html (according to bug 1131)
Privacy Policy wrong link file:///C|/Tmp/PrivacyPolicy.html
          should be: http://www.cacert.org/policy/PrivacyPolicy.html
Principles link -> ok
=> 3 links to correct
(0004341)
INOPIAE   
2013-09-20 06:12   
(Last edited: 2013-09-20 06:29)
added new fix to github https://github.com/INOPIAE/CAcert/commit/8fbe6786693a471a789483ff9280525c30ff2ee4
It only fixes the WebDB side not the pdf creation.

(0004342)
INOPIAE   
2013-09-20 14:44   
Comment to https://bugs.cacert.org/view.php?id=988#c4339
All information from page 4 onwards are created from the orginal CCA document on the server. So changes can be negleted in this bug.
(0004350)
Uli60   
2013-09-24 16:00   
http://bugs.cacert.org/view.php?id=988#c4342 statement is wrong !
the
page 6 (CCA cont. (cca page 3))
CPS link .php -> .html (according to bug 1131)
DRP link .php -> .html (according to bug 1131)
Privacy Policy wrong link file:///C|/Tmp/PrivacyPolicy.html [^]
          should be: http://www.cacert.org/policy/PrivacyPolicy.html [^]
Principles link -> ok

problem is a problem of bug 988 as the original
http://cacert1.it-sls.de/policy/CAcertCommunityAgreement.html
still has

link 1:
orig cca: https://www.cacert.org/policy/CertificationPracticeStatement.html
 -> ok
pdf cca: http://www.cacert.org/policy/CertificationPracticeStatement.php
 -> not ok

link 2:
orig cca: https://www.cacert.org/policy/DisputeResolutionPolicy.html
 -> ok
pdf cca: http://www.cacert.org/policy/DisputeResolutionPolicy.php
 -> not ok

link 3:
orig cca: https://www.cacert.org/policy/PrivacyPolicy.html
 -> ok
pdf cca: file:///C:/Temp/PrivacyPolicy.html
 -> not ok

link 4:
orig cca: https://svn.cacert.org/CAcert/principles.html
 -> ok
pdf cca: http://svn.cacert.org/CAcert/principles.html
 -> ok

=> needs work
(0004351)
INOPIAE   
2013-09-24 19:11   
(Last edited: 2013-09-24 19:12)
Comment to https://bugs.cacert.org/view.php?id=988#c4350

As stated before in https://bugs.cacert.org/view.php?id=988#c4342
All information from page 4 onwards are created from the orginal CCA document on the server. So changes can be negleted in this bug.
So the problem with the links needs to be solved by exchanging the CCA document on the server and not as part of this bug fix.

(0004355)
Eva   
2013-09-24 22:14   
I got to the "assure someone"-page with an TTP-assurer-acc on an assuree-acc that had 0 assurance points and 0 assurances.

I got the option to assure someone face-to-face or TTP-assisted.
Below the assurance-formular appears a link "Show TTP details".

The link shows a formular with information about the ttp- and total assurance and experience points of the assuree (the label there is wrong, but that does not affect the precess which should be testet here).

Below there is a table with the personal informations of the Assuree and a drop-down-menu to select a country.

Afterwards there are 5 lines for the address of the assurer, followed with a button to create a TTP CAP pdf file (I would use some "-" in this label).

The button creates a pdf files with the above information integrated at the correct points.

I did not test the rest of the pdf file.

However I tried to enter a bunch of different symbols in the address-fields. Most of them were added correctly to the pdf-file.

Some very curious and a symbol from the cyrilic-tabel were not shown correctly.
The Symbols I could not read in the PDF were: ṸḘᵆᴭѢƣ
However they appeared marked as unwriteble symbols.

Below the button to create the pdf-file was a back-button wich brought me back to the correct aussurance-page.

I chose "TTP-Assisted", filled in a location and checked the boxes but the "I believe ..." box and added 35 points.

Above the box I skiped there is a text, that I should only check it, if the Assurance was face to face.

When I tried to confirm the assurance I got an error message that I need to check all boxes.

When I had checked all boxes, the assurance was accepted.

!!!!!
!!!Everytime the page was left (or an error-message was added), the dropdown-menu for TTP Assured was reset to Face to Face Meeting.!!!
This ist very annoying and something that is due to create wrong assurances, even if it is no fail for this test.
!!!!!

Afterwards the assurance showed as TTP-Assisted in
- the points overview of the assurer
- the list of assurances got by the assuree
- the list of assurances given by the assurer.

The assurer got a mail about the assurance (TTP was not mentioned).
The assuree got a mail about the assurance (TTP was not mentioned).
==> ok


I tried the same on an account with 1 face to face and 1 ttp assurence with 70 points total.
The points were displayed correctly, and I got the same results (respectively). I did not check the mail of the assuree.
==> ok

I tried the same on an account with 2 ttp assurances and 70 points total.
I could not print the pdf-file, everything else was the same as above.
==> ok

I tried the same on an account with 2 face to face and 1 ttp assurance with 100 points total.
I got the same results as with the last one.
==> ok

I tried the same on an account with only face to face assurances with 100 points total.
I got the same results as with the last one.
==> ok


Overall: ok
(However it would be nice, if the drop-down menu would not reset all the time.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1043 [Main CAcert Website] source code minor have not tried 2012-05-31 03:51 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version: 2012 Q2  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: BenBE
Test Instructions:
Summary: Review the code regarding the new point calculation in ./stamp/common.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1061 [Main CAcert Website] source code minor have not tried 2012-05-31 04:05 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version: 2012 Q2  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q2  
Reviewed by: BenBE
Test Instructions:
Summary: Review the code regarding the new point calculation in ./CommModule/usbclient.pl
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005247)
felixd   
2015-01-20 21:07   
The code was old, and can be deleted:
https://github.com/yellowant/cacert-devel/commits/bug-1061
(0005378)
Eva   
2015-04-21 19:30   
please add test instructions if this has to / can be tested.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1046 [Main CAcert Website] source code minor have not tried 2012-05-31 03:55 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./scripts/cron/updatesort.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005377)
felixd   
2015-04-14 20:28   
A fix for the code (that was moved in the meantime) is here:
https://github.com/yellowant/cacert-devel/commits/bug-1046


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1062 [Main CAcert Website] source code minor have not tried 2012-05-31 04:05 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./CommModule/client.pl
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005376)
felixd   
2015-04-14 19:36   
A fix is here: https://github.com/yellowant/cacert-devel/tree/bug-1062


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1060 [Main CAcert Website] source code minor have not tried 2012-05-31 04:04 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./pages/wot/1.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005374)
felixd   
2015-04-07 20:47   
Fix is available here: https://github.com/yellowant/cacert-devel/commits/bug-1060


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1059 [Main CAcert Website] source code minor have not tried 2012-05-31 04:03 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./pages/wot/9.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005373)
felixd   
2015-04-07 20:41   
A fix is here: https://github.com/yellowant/cacert-devel/commits/bug-1059


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1058 [Main CAcert Website] source code minor have not tried 2012-05-31 04:03 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./pages/account/55.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005372)
felixd   
2015-04-07 20:37   
a fix is here: https://github.com/yellowant/cacert-devel/commits/bug-1058


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1057 [Main CAcert Website] source code minor have not tried 2012-05-31 04:02 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./pages/account/52.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005371)
felixd   
2015-04-07 20:29   
In bug https://bugs.cacert.org/view.php?id=1355 this file will be removed.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1055 [Main CAcert Website] source code minor have not tried 2012-05-31 04:01 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./includes/lib/account.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005369)
felixd   
2015-04-07 20:13   
Fix is here: https://github.com/yellowant/cacert-devel/commits/bug-1055


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1053 [Main CAcert Website] source code minor have not tried 2012-05-31 04:00 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./includes/account.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005367)
felixd   
2015-04-07 19:18   
A fix (dependent on the one for www/index.php) is available here:
https://github.com/yellowant/cacert-devel/commits/bug-1053


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1052 [Main CAcert Website] source code minor have not tried 2012-05-31 03:59 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./includes/loggedin.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005366)
felixd   
2015-04-07 19:14   
A fix is available here:
https://github.com/yellowant/cacert-devel/commits/bug-1052

(depends on the fix for www/index.php)


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1047 [Main CAcert Website] source code minor have not tried 2012-05-31 03:56 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./www/index.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005365)
felixd   
2015-04-07 19:07   
A patch is here: https://github.com/yellowant/cacert-devel/commits/bug-1047


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1048 [Main CAcert Website] source code minor have not tried 2012-05-31 03:56 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./www/api/ccsr.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005330)
felixd   
2015-02-24 21:51   
I would suggest to delete this unused and old API interface.

A patch for that is here:

https://github.com/yellowant/cacert-devel/tree/bug-1048


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1044 [Main CAcert Website] source code minor have not tried 2012-05-31 03:52 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./scripts/addpoints.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1056 [Main CAcert Website] source code minor have not tried 2012-05-31 04:02 2015-10-20 20:14
Reporter: INOPIAE Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Review the code regarding the new point calculation in ./pages/account/43.php
Description: Check if the point calculation is adjusted according to the new points calculation.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005370)
felixd   
2015-04-07 20:24   
the code is currently providing a "dual view" over both the now and the old calculation.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1360 [Main CAcert Website] GPG/PGP major always 2015-01-16 12:25 2015-10-20 20:14
Reporter: wytze Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review Product Version: 2015 Q1  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q1  
Reviewed by: BenBE
Test Instructions: See Steps to Reproduce
Summary: signing of gpg keys stalls due to missing directory, and also causes delays for X.509 certificate signing and revocation
Description: The signing of gpg keys by the CAcert application may stall due to a missing directory for storing the signed keys.

The current code allocates a new subdirectory for every 1000 signed keys, but the code to create this new subdirectory is missing for the gpg case (it is present though for the X.509 case). The CommModule client.pl code attempts to write the signed gpg key to a file in this non-existing directory and fails, which leads eventually to an error message: "Could not find the issued gpg key.". However, the same request will be retried over and over without limit, causing delays for all signing requests, including X.509 certificates.
Tags:
Steps To Reproduce: Remove empty subdirectories under /home/cacert/www/crt/gpg.
Then issue more than 1000 gpg signing requests, so somewhere along the line a new subdirectory is needed.
Additional Information: As a work-around, a number of subdirectories have been pre-created on the production server, so this failure will not occur again anytime soon, even without a code fix.

The problem is in this code fragment from CommModule/client.pl:

sub HandleGPG()
{
  my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' ");
  $sth->execute();
  my $rowdata;
  while ( $rowdata = $sth->fetchrow_hashref() )
  {
    my %row=%{$rowdata};

    my $prefix="gpg";
    my $short=int($row{'id'}/1000);
    my $csrname = "../csr/$prefix-".$row{'id'}.".csr";
    $csrname = "../csr/$prefix/$short/$prefix-".$row{'id'}.".csr" if($newlayout);
    SysLog("New Layout: "."../csr/$prefix/$short/$prefix-".$row{'id'}.".csr\n");

    #my $crtname = "../crt/$prefix-".$row{'id'}.".crt";
    my $crtname=$csrname; $crtname=~s/^\.\.\/csr/..\/crt/; $crtname=~s/\.csr$/.crt/;
    SysLog("New Layout: $crtname\n");

The following code should be inserted before the last line:

    my $dirname=$crtname; $dirname=~s/\/[^\/]*\.crt//;
    mkdir $dirname,0755;

Attached Files:
Notes
(0005242)
wytze   
2015-01-16 12:28   
See https://lists.cacert.org/wws/arc/cacert-systemlog/2015-01/msg00015.html
(0005244)
BenBE   
2015-01-16 17:57   
The change was performed slightly different than suggested to remove a minor code duplication in the process and also ensure all paths are built based on the directory name.
(0005254)
felixd   
2015-01-20 23:02   
Test:

I issued enough pgp signatures for the pgp-signer daemon to require a new directory (around 200).
I was told that the signer created that new directory.

Test is therefore PASSED.
(0005256)
INOPIAE   
2015-01-21 20:39   
I create certs for client and org server certificates.
For both certs the new directory was created.

=> ok


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1317 [Main CAcert Website] GPG/PGP major always 2014-10-29 00:02 2015-10-20 20:14
Reporter: janmaco Platform:  
Assigned To: Eva OS:  
Priority: normal OS Version:  
Status: needs review Product Version: 2014 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q1  
Reviewed by: BenBE
Test Instructions: Try to sign a mail address with a plus sign in it.
Summary: Weak email sanity check when adding a new PGP key
Description: I tried to sign a PGP key with an email address containing a + (like test+a@example.tld). Using such an e-mail results in an error (No valid uid).
Tags:
Steps To Reproduce: Create a PGP key with an email address containing a '+' -> paste it to the "Add PGP key" form
Additional Information: A cause may be located in incomplete regexes;
www/gpg.php:381
 if (preg_match("/<([\w.-]*\@[\w.-]*)>/", $bits[9],$match)) {
                    //echo "Found: ".$match[1];
                    $mail = trim(gpg_hex2bin($match[1]));
                }
Attached Files:
Notes
(0005237)
janmaco   
2015-01-14 10:59   
(Last edited: 2015-01-14 11:17)
I have a patch for this bug here: https://github.com/yellowant/cacert-devel/commit/1439176e62ab63d6ab522b07ca18213e56c24bf4

(0005305)
Eva   
2015-02-03 21:25   
I created a pgp key for the address 1317+asterix@acme.com and added it to the account.

The key was signed. -> ok
The key contained the signature -> ok
The key contained the correct name and email address -> ok
The key was displayed correctly in the "view" overview for pgp keys -> ok

=> ok

(I did not test other special characters as only "+" seems to be added)
(0005342)
felixd   
2015-03-03 21:09   
I got a PGP key signed with an email address containing a "+". Keys with an incorrect email address still get rejected.

=> PASSED
(0005345)
Eva   
2015-03-03 21:14   
As there are two successfull tests, please do your review(s)


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1098 [test.cacert.org] mgr.test.cacert.org minor always 2012-09-11 22:58 2015-10-16 22:09
Reporter: Uli60 Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: solved? Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: logout from cats testserver under ca-mgr1 results in weak link
Description: logout from cats server (testserver on ca-mgr1)
results in link: https://cats1.it-sls.de//index.php?
                                        ^^

Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0003193)
Ted   
2012-09-12 15:08   
What's the problem? Which link would you expect?
(0005386)
BenBE   
2015-05-09 08:46   
As far as I see it has a double // between its domain and the path component, but should have only one there.
(0005416)
INOPIAE   
2015-06-30 20:15   
The problem exists on the productive cats aswell.

The double slash ("//") comes as soon as you login.
(0005417)
INOPIAE   
2015-06-30 20:55   
I pushed a fix to https://github.com/CAcertOrg/cats/commit/073c8756029f667b2dc146b22bdb67c6ba2c7f37.
Please see that the change needs to be transferred to productive system.
(0005472)
Ted   
2015-10-16 22:09   
The fix was (some time ago) merged into the release branch and is installed on the production system


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1376 [CATS.cacert.org] User Interface major always 2015-02-24 21:28 2015-10-16 22:02
Reporter: felixd Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version: production  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Remove login_with_api.php
Description: login_with_api.php is not used and should be removed, as it is reachable directly.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005471)
Ted   
2015-10-16 22:02   
Created branch bug-1376 and merged into testserver branch


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1405 [CATS.cacert.org] Admin Interface minor N/A 2015-10-16 21:38 2015-10-16 22:00
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Allow HTML tags in questions and answers
Description: It should be possible to use HTML tags in questions, answers and descriptions.

Potential abuse should not be a problem since all texts are reviewed before transferred to the production system.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005470)
Ted   
2015-10-16 22:00   
New branch bug-1405 created and merged into testserver branch


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1404 [CATS.cacert.org] User Interface tweak N/A 2015-10-12 20:28 2015-10-12 20:28
Reporter: Ted Platform:  
Assigned To: Ted OS:  
Priority: low OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Cleanup CSS
Description: No real priority, but since I'm currently working with CSS in another project I want to streamline the CSS file and fix a few quirks...

Proposals are welcome, of course.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1127 [Main CAcert Website] translations minor always 2012-12-16 18:01 2015-09-29 20:45
Reporter: wytze Platform:  
Assigned To: BenBE OS:  
Priority: normal OS Version:  
Status: solved? Product Version: 2012 Q4  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version: 2015 Q3  
    Target Version: 2014 Q2  
Reviewed by: NEOatNHNG, BenBE
Test Instructions:
Summary: messages,pot file created by www/locale/Makefile contains misleading file references
Description: The Makefile in www/locale contains a recipe for creating a messages.pot file, which is uploaded to the translations.cacert.org server for translation. Messages are extracted from a wildcarded list of files. Due to the presence of a symbolic link 'crl' which points to '.' in the ../www/ directory, this file list contains file names like ../www/crl/....php, i.e. files which cannot be found in the source tar ball of the CAcert web application. This is misleading, and also redundant, since the same files have already been processed through their ../www/....php filename.
Tags:
Steps To Reproduce: Go to www/locale and run 'make messages.pot'
Additional Information: In order to simplify the solution of this problem, the symbolic link 'crl' mentioned above has been renamed to 'CRL' (all uppercase). Thus a more selective wildcard (containing only directory names starting with a lowercase letter) can be used in the www/locale/Makefile recipe. This leads to the following fix for this problem:

cvs diff -u Makefile
Index: Makefile
===================================================================
RCS file: /var/lib/cvs/cacert/locale/Makefile,v
retrieving revision 1.2
diff -u -r1.2 Makefile
--- Makefile 29 Apr 2012 18:32:27 -0000 1.2
+++ Makefile 16 Dec 2012 16:43:51 -0000
@@ -144,7 +144,7 @@
 ../pages/*/*.php \
 ../scripts/*.php \
 ../www/*.php \
-../www/*/*.php \
+../www/[a-z]*/*.php \
 # ../tverify/*.php \
 # ../tverify/*/*.php \

This fix has been tested on the production server and the resulting messages.pot file has been uploaded to the translations server.
Attached Files: Makefile (3,933 bytes) 2012-12-16 18:01
http://bugs.cacert.org/file_download.php?file_id=304&type=bug
Notes
(0005462)
BenBE   
2015-09-29 20:38   
(Last edited: 2015-09-29 20:45)
After validation of the proposal by Wytze via mail regarding a20140422.2, sorry for the delay, the following thing is declared:

The change introduced by the Critical Administrator Team referenced in this bug tracker issue has caused no side effects or malfunctions. The behaviour is as it has been intended by the change.

Due to configuration changes done by the critical team in the mean time the change has become obsolete, but will be retained as it provides freedoms for the configuration of the server, while not impacting the software.

Thus while the introduction of this change did not quite follow the usual change management, this minor change is hereby accepted.

Benny Baumann
Software Assessment Team



View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1401 [Main CAcert Website] account administration major always 2015-09-09 07:08 2015-09-09 07:08
Reporter: wytze Platform: Default  
Assigned To: BenBE OS: any  
Priority: high OS Version: any  
Status: new Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q3  
Reviewed by:
Test Instructions:
Summary: Names containing non-ascii characters are displayed incorrectly on the website
Description: This (anonymized) support request was received by critical-admin@cacert.org:

-------------------------------------------------------------------------------
My email: xxxxx
My first name: xxxxx
My middle name: xxxxx
My last name: Żxxxxx

However, my last name at https://www.cacert.org/account.php?id=13 (ie.
My Details View/Edit) is 'Żxxxxx'

Where 'Ż' is a decimal html encoding of 'Ż'.

Unicode Decimal Code Ż

Symbol Name:Latin Capital Letter Z With Dot Above
Html Entity:
Hex Code:&#x17b;
Decimal Code:Ż
Unicode Group:Latin Extended-A

Could this be fixed in the database to be 'Żxxxxx' (presumably
correctly UTF-8 encoded)?
-------------------------------------------------------------------------------

critical-admin@cacert.org answered with:

-------------------------------------------------------------------------------
The database contains the Ż encoding, which I believe to be correct
(according to the way the CAcert application code works in general).
The display is indeed not correct, which IMHO opinion is caused by a code
change made on 7 June 2014, in particular the change to pages/account/13.php,
which is now passing the database values through the sanitizeHTML() function.
This function is transforming the & to &, causing the first character of
this user's name to be passed to the browser as &0000379; which will result
in the bad display experienced by this user.

I suggest to file an issue on bugs.cacert.org for this problem, it requires
a (set of) code change(s) to fix it.

FYI: I have attached the checkin notification containing the offending
change -- unfortunately it was rather complex and large.
-------------------------------------------------------------------------------

The checkin notification mentioned above can be found at:

https://lists.cacert.org/wws/arc/cacert-systemlog/2014-06/msg00005.html

Unfortunately, the suggestion to report this issue on bugs.cacert.org was not followed up by CAcert Support. Hence critical-admin@cacert.org does it now.
Tags:
Steps To Reproduce: Register a name containing a special character like Ż and observe the way it is displayed on https://www.cacert.org/account.php?id=13
Additional Information:
System Description Default profile.
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
932 [test.cacert.org] test.cacert.org minor have not tried 2011-05-07 17:38 2015-09-08 20:32
Reporter: abheiden Platform:  
Assigned To: BenBE OS:  
Priority: normal OS Version:  
Status: needs testing Product Version:  
Product Build: Resolution: reopened  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Summary: Get UTF8 failured email subject
Description: The subject was "=?utf-8?B?W0NBY2VydC5vcmddIFlvdSd2ZSBiZWVuIEFzc3VyZWQu?="

Content:
You are receiving this email because you have been assured by Atona Çodelu (guide@galaxy.net).

You were issued 100 points however the system has rounded this down to 10 and you now have 10 points in total.

Best regards
CAcert Support Team
Tags:
Steps To Reproduce:
Additional Information: Testserver system is an enclosed environment, no mails can be sent out from the testserver. Mail delivery is completely blocked by the testservers firewall.

This is either
a) to prevent unwanted illegitimate use our testserver by spammers
b) to prevent conflicts in sending mails with the production server

But some tests requires sending of mails, to check if mails are sent, and if the content relates to the proposed content. At least in the create an account routine, also on adding a domain, the tester has to await an email for confirmation of the triggered action.

Also some other activities needs to be handled similiar to a console access
(set flags on user accounts, add assurance points over an account).
So therefor we've deployed the Testserver-Management-System - short TMS
that includes administrative functions to manage accounts and also a simple mail viewer, to read "received" mail content for a specific user under testing.

The mail viewer is no real mail client. This mail viewer is only a workaround that content of mails can be displayed (eg the confirmation string that is needed to confirm an account creation).
The mail viewer cannot handle crypted mails, binhex, Base64 mails, s/mime mails, only raw text is displayed. No internet headers will be displayed, and also the subject handling has no conversion routines implemented.

If someone feels compfortable to program a real working mail client under zend-framework (the TMS is build on), please feel free :)
The source is available under the git repository git-cacert.it-sls.de
as cacert-mgr.git

Attached Files:
Notes
(0003516)
Werner Dworak   
2012-12-21 05:14   
More than 3 month fixed and no complaints
(0003749)
Uli60   
2013-02-12 22:06   
(Last edited: 2013-02-12 22:12)
https://bugs.cacert.org/view.php?id=1025#c3380
problem persists
should be fixed anyway, but has low priority
fix has to be an update to zend framework / mail routines under TMS / ca-mgr1

(0005444)
INOPIAE   
2015-08-09 16:28   
I pushed a fix to https://github.com/INOPIAE/cacert-testmgr/commit/4e3199d62fc2143da34fa6671e17f3eec6e576c8
(0005452)
INOPIAE   
2015-08-20 19:14   
I pushed a new fix to https://github.com/INOPIAE/cacert-testmgr/commit/9987c02e3e9e8f1d9b6219c1384297036c583da7
(0005461)
INOPIAE   
2015-09-08 20:32   
I pushed a new fixed to https://github.com/INOPIAE/cacert-testmgr/commit/2239f970eacd9205b19f532d6fcc53b70c4d3e14


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
769 [Main CAcert Website] certificate issuing minor have not tried 2009-08-15 13:18 2015-08-30 06:39
Reporter: nijel Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Client certificate broken with unicode
Description: While generating client certificate, I got certificate with name "Michal &". I guess something went wrong when processing unicode name "Michal ?iha?".
[The surname could be for example "Čihař".]
Tags: certificates, diacritic, names
Steps To Reproduce: Tried generate a client cert on the testsys. My name contains "š" (s-caron). It is taken from my account, where I suppose is OK (displayed OK in my account). However, it is CP-1250 one-byte coded in the client cert created. As client cert is probably UTF-8 (two-bytes for diacritic) coded, this CP-1250 coding is wrong.
Additional Information: Such error occurs in Win/IE, Win/Chrome, and also Linux Ubuntu/Mozilla Firefox, Linux OpenSuSE/Mozilla Firefox.
This error can be also seen at the beginning of e-mail notices about end of cert's validity. E.G.: Hi Ale�, (etc.) usually I can only read "Hi Ale,". The last char of my name depends on the mail client. Here the hex representation was FDFF meaning the information was lost. Another clients show 9A00 (CP-1250), or C2006101. The correct Unicode representation is 6101 only. The correct UTF-8 representation is C5A1. The representation in the cert is 9A (CP-1250). It would be correct, if this text in the cert was preceded by a coding type and codepage number (I do not know if it is).
Attached Files:
Notes
(0005460)
alkas   
2015-08-29 20:51   
This error is very unpleasant, as it concerns the basic info - user's name.
As of certs with names I am not Aleš anymore, but Ale (beer) only.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1389 [Main CAcert Website] misc minor always 2015-07-21 19:40 2015-08-28 15:43
Reporter: StefanT Platform:  
Assigned To: BenBE OS:  
Priority: urgent OS Version:  
Status: solved? Product Version: 2015 Q3  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version: 2015 Q3  
    Target Version: 2015 Q3  
Reviewed by: NEOatNHNG, BenBE
Test Instructions: https://bugs.cacert.org/view.php?id=1389#c5421
Summary: Wrong encoding for mails sent with function sendmail()
Description: While preparing an event mailing in Danish there were problems to properly transcript Danish to ASCII. Thus sending full UTF-8 is required. When testing the mailing it was found that special characters outside the ASCII range were encoded wrong, even when UTF-8 was explicity set in the mailing script.

Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0005420)
felixd   
2015-07-21 20:28   
A patch is available here: https://github.com/yellowant/cacert-devel/tree/bug-1389
(0005421)
felixd   
2015-07-21 20:28   
Test instructions:
Test various events where mail is sent to the user. Make sure the first name in the account contains a special character. Examples for functions to test include:
- Mail to assurer
- Mail to assuree
- Changing primary email address
- Changing password
- Changing password from SE console
- Looking at secret questions
- Looking at secret questions from SE console
- Disputing email and domain

Test any other event where you know that a special character is used while sending a mail.
Also check that sending mails in languages other than English (e.g. German, Finnish, Russian, Swedish, ...) are displayed correctly. BEWARE: The test management server uses UTF-8 by default passing the mail through without re-encoding it according to the Content-Type header. In case of doubt ask someone with access to the raw mail files to check/for a transcript of the raw mail.
(0005422)
StefanT   
2015-07-22 16:38   
Scenario:
New User: karl.coyote@looney.org Pass: Testing12
Link in Email: http://cacert1.it-sls.de/verify.php?type=3Demail&emailid=3D305465&hash=3D31=bbeb7759707a89a9a56c5677a9b0b5
At my try to acknowledge the Account i became this Error:
"Fehler!
Parameter fehlen. Bitte benutzen Sie die komplette URL." (in german of course)
(0005424)
felixd   
2015-07-22 18:53   
yes, this problem is due to the test management server not being able to display "quoted-printable"-content correctly.

The link was initially:
http://cacert1.it-sls.de/verify.php?type=email&emailid=305465&hash=31bbeb7759707a89a9a56c5677a9b0b5

Where there was a line break after the "hash=31" due to the line being too ling. The other "=3D"s are literal "="s. I am pretty sure that an ordinary email client will display the link so that it can be copied out correctly.
(0005425)
BenBE   
2015-07-22 19:28   
Please see 0001390 for the explanation. Basically just like felixd said: The test management system is kinda broken in regards to display of mails.

ATM only a nl2br is performed, thus you need to decode the quoted printable in your head ;-) Or rather: If the decoding indicates proper UTF8, the mail is sent correctly ;-)
(0005443)
INOPIAE   
2015-08-09 15:12   
The problems from the test management server are fixed.
(0005447)
StefanT   
2015-08-11 20:38   
The Test Mail (Danish Part) on Testaccount "paul.panter@pink.org":
*****
     

Read Mail
[Danish]
Gennem det sidste års tid er der sket mange ændringer hos CAcert. Mange
mundtlige regler er blevet skrevet ned i politikker. Nye procedurer (f.eks.
Assurer Challenge) og forpligtelser (f.eks. CAcert Community Agreement) har
set dagens lys.
Assurandør trænings events (ATE) forsøger at udbrede disse informationer.
- Hvad mangler på den gamle CAP formular?
- Hvorfor skal jeg huske R/L/O?
- Hvad kan du gøre hvis en person fremviser ID dokumenter jeg ikke
kender?
Disse og flere spørgsmål vil blive besvaret under en Assurandør trænings
event (ATE)
Yderligere, træner man på ATE, hvordan man verificere og kontrollere
verificeringer for at måle kvaliteten af verificeringsprocessen i det
daglige. Der er en del fejl, som er nemme at falde i. Assurandører får
mulighed for at se disse fejl og hvordan man undgår dem.
Som IanG sagde: ATE eller Assurandør Træningens events er klart anbefalet
til alle assurandører og indeholder dele som hjælper direkte med vores
godkendelseskontrol. Kom og find ud af hvordan du også kan hjælpe.

Den næste event, som afholdes i dit område er:
- Søndag d. 20. September 2015
- Kl. 10:00 – ca. 17:00
- ShowIT Media
- Slotsbryggen 14 A-D
- 4800 Nykøbing F.
- Denmark

BEMÆRK: eventen foregår på engelsk
Detaljerne om eventen og programmet kan findes på:
Wiki [https://wiki.cacert.org/Events/2015-09-20-ATE-DK-Nykobing]
Blog [tbd]
Du kan tilmelde dig ved at besvare denne mail og i emnet feltet skrive: “I
will attend the ATE-Nykobing”
Event teamet ser frem til din deltagelse
Kontakt: events@cacert.org
*****

The Mail is displayed correct with all special Characters => OK
(0005450)
INOPIAE   
2015-08-20 18:18   
Looking at the event mail sent on Aug 9th
the danish special characters are correst displayed. Unfortunately there were no German special charcaters in the mail body. So there is no proof from there.

=> ok
(0005451)
INOPIAE   
2015-08-20 18:19   
please as we have two success full tests
(0005454)
NEOatNHNG   
2015-08-23 15:55   
Patch looks OK.

One remark though: The non-utf8 case is not used anywhere in the system now, and probably it won't work because HTML entities are encoded to utf8 while the content type says it's latin1. ==> non-utf8 case should be removed IMHO

The only place where the latin1 variant was used before, were the mailing scripts and there it especially made no sense. That was probably the reason why special characters were broken in the mailing scripts. Now the parameter they set gets interpreted as if they wanted utf8 support which makes sense and should work.
(0005458)
BenBE   
2015-08-26 06:43   
Patch forwarded to crit.
(0005459)
wytze   
2015-08-28 15:43   
The fix has been installed on the production server on August 28, 2015. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2015-08/msg00007.html


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1394 [Main CAcert Website] my account minor have not tried 2015-07-28 20:40 2015-08-25 20:14
Reporter: INOPIAE Platform:  
Assigned To: BenBE OS:  
Priority: normal OS Version:  
Status: needs review & testing Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version: 2015 Q3  
Reviewed by: BenBE
Test Instructions: Try to create a certificate with an IDN domain name in it while the Code Signing flag is off. Verify it working if it's on. For conversion to IDN yuo can use http://mct.verisign-grs.com/
Summary: Fix error message when entering an IDN domain
Description: When entering an IDN domain to the system the error message is:
"Due to the possibility for punycode domain exploits we currently do not allow any certificates to sign punycode domains or email addresses."
Better:
"Due to the possibility for punycode domain exploits we currently only offer the use of IDN domains if your account has the code signing flag.
More information can be found [in our wiki][https://wiki.cacert.org/FAQ/Privileges]."
Tags:
Steps To Reproduce:
Additional Information: includes\account.php lines 119 and 544
Attached Files:
Notes
(0005440)
INOPIAE   
2015-07-28 21:47   
I pushed a fix to https://github.com/INOPIAE/CAcert/commit/f2889a127e9c5a68a22b8accba00b32b94ce3971
(0005456)
StefanT   
2015-08-25 20:14   
I tested with Account karl.coyote@looney.info without code-signing flag.
I tried to verify domain "körnerfutter.com" after conversion to "xn--krnerfutter-rfb.com".
The Result was "Due to the possibility for punycode domain exploits we currently only offer the use of IDN domains if your account has the code signing flag. More information can be found in our wiki."
This Error was expected => OK

The 2nd Test was with Account paul.panter@pink.org with code-signing flag.
I tried this domain to verify: xn--maraa-rta.org
The 1st Step was accepted by addressing to email root@xn--maraa-rta.org
By using the Link in the email the domain was accepted.
This domain verification was accepted => OK


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1378 [Main CAcert Website] tweak always 2015-04-07 10:50 2015-08-19 22:17
Reporter: HansMaulwurf Platform: Main CAcert Website  
Assigned To: BenBE OS: N/A  
Priority: normal OS Version: stable  
Status: solved? Product Version:  
Product Build: Resolution: suspended  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Unable to sign gpg key for an IDN.
Description: Register an IDN email via punycode will work.
But then sign an gpg key will fail.
Because after copy the public part, of it I only get the error, format of the key is wrong.
After talk with the gpg developer, they say, that is correct that the gpg key contain the utf8 version. And the application have to deal with it.
Tags:
Steps To Reproduce: 1. create an gpg2 keypair for an IDN domain. For example foo@müller.de.
2. export the public key
3. try to import it.
Additional Information: Bug report about the IDN support under gpg2: https://bugs.g10code.com/gnupg/issue1941
System Description Production version of the CAcert website
Attached Files:
Notes
(0005384)
BenBE   
2015-05-05 22:27   
(Last edited: 2015-05-05 22:30)
Unfortunately the GnuPG code is fragile enough as it stands and there are currently no plns to add any new features until a proper rewrite has been completed. For details see https://blog.cacert.org/2015/02/new-software-rewriting-the-software-driving-our-site/ and its follow-ups.

Also note that the GnuPG people still need deciding on behaviour of client applications. Until then a work-around might be using the raw IDN version of the domain xn--mller-... in your key UID.



View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1395 [Main CAcert Website] account administration minor have not tried 2015-07-29 18:43 2015-08-19 21:51
Reporter: INOPIAE Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Show information about not verified domains and emails in SE console
Description: I found that SE cannot see if a domain that has not yet been verifed for the account is linked to the account. The search for the domain shows the user acccount to the SE.
Tags:
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1025 [Main CAcert Website] misc minor always 2012-03-22 13:51 2015-08-09 21:06
Reporter: Uli60 Platform:  
Assigned To: NEOatNHNG OS:  
Priority: normal OS Version:  
Status: needs work Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: NEOatNHNG, BenBE
Test Instructions:
Summary: Domain Dispute strange behaviour / Domain Dispute issue
Description: The problem is taken from ticket [s20120322.56 ] Domain dispute fallout?

A few days ago I used the "Domain Dispute" tab on the CAcert.org website
to "take" domain.tld away from User2, as I was
under a time crunch to get some certs rolled. Before I did this User2
and I were unable to connect to arrange this some other way.

While this got the domain.tld account transferred to me,
User2 tells me it also messed up the other certs for domains he manages
(both domain2.tld for us and several of his personal domains). If I
understood correctly, it also prevented him from logging in to his
cacert account.

Do I understand correctly?

If this is the case, did I miss a warning about the effect my clicking
on "Domain dispute" would have? My only goal was to get
domain.tld transferred to me so I could issue some certs,
and I would have never clicked on that link if I had known that one of
the consequences of that action would have been to affect User2's CAcert
account or the other certificates he had been issued.
Tags:
Steps To Reproduce:
Additional Information: bug# generated for analyze and to reproduce reported problem
Attached Files:
Notes
(0002887)
Uli60   
2012-03-22 15:03   
pre-set
-------
user1
  email: user1@domain1.tld


user2
 email: user2@domain1.tld
   clientcerts: user2@domain1.tld
 domain: domain1.tld
   servercerts: cert1.domain1.tld
                 cert2.domain1.tld
 domain: sub1.domain1.tld fail
   servercerts: cert1.sub1.domain1.tld -
                 cert2.sub1.domain1.tld -
 domain: domain2.tld
   servercerts: cert1.domain2.tld
                cert2.domain2.tld
 domain: sub1.domain2.tld fail
   servercerts: cert1.sub1.domain2.tld -
                cert2.sub1.domain2.tld -

test procedure
--------------
created user1 and user2
both verified
both accounts assured upto 100 assurance points
loggedin user2
create client cert
adding domain domain1.com
confirm email probe (postmaster@), under ca-mgr1 under bug1025.user2 account email

adding domain sub1.domain1.tld
email probe to: postmaster@sub1.domain1.tld results in error:
"Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid
Failed to make a connection to the mail server"
Bug? Fallback to postmaster@domain1.tld is impossible

adding domain domain2.de
confirm email probe (postmaster@), under ca-mgr1 under bug1025.user2 account email

adding domain sub1.domain2.tld
email probe to: postmaster@sub1.domain2.tld results in error:
"Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid
Failed to make a connection to the mail server"

sub domains failed email probe, cannot be tested

creating 4 server certs private keys and csr's with openssl,
2 each for domain1.tld and domain2.tld

signing all 4 csr's with class3 testserver subroot
1. server1.domain1.com serno 10AF
2. server2.domain1.com serno 10B0
3. server1.domain2.de serno 10B1
4. server2.domain2.de serno 10B2

logout

login user1
domain add domain1.tld
error: The domain 'domain1.com' is already in a different account and is listed as valid. Can't continue.
=> OK