View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1417 [Main CAcert Website] certificate issuing major always 2016-10-03 17:31 2021-06-23 00:03
Reporter: Wiesshund Platform: PC Windows 10, IE11 Chrome Firef  
Assigned To: Ted OS: Windows 10 Pro 64bit, Ubuntu  
Priority: urgent OS Version: Current  
Status: confirmed Product Version: 2015 Q3  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: Unable to generate client certificate
Description: Unable to generate client certificate
Clicking generate keypair in browser results in the error

"I didn't receive a valid Certificate Request, please try a different browser."

This happens in IE11, Edge, Chrome current version, and Firefox current version.
Tags: browser, certificates, html
Steps To Reproduce: log in to cacert.org
click client certificate
click new
check off wanted email address
click agree to terms
click generate keypair within browser

Immediately receive error "I didn't receive a valid Certificate Request, please try a different browser."
Same error occurs in IE11 Edge Chrome and Firefox

Additional Information: CACerts.org is added as trusted site
TLS and SSL are enabled
Tested running Trusted Sites on low security setting in IE
Tried on both 32 and 64 bit versions of all broswers
System Description Production version of the CAcert website
Attached Files: keygen.png (22,621 bytes) 2018-01-07 09:00
http://bugs.cacert.org/file_download.php?file_id=422&type=bug
New Client Certificate.png (175,952 bytes) 2019-09-10 20:50
http://bugs.cacert.org/file_download.php?file_id=467&type=bug
Notes
(0005529)
L10N   
2016-12-24 19:29   
The same bug happend to me to with
- Chromium 55 on Ubuntu 16.04
- Vivaldi 1.6 64 Bit on Ubuntu 16.04
- Edge on Windows 10

But I could create a new certificate with
- Firefox 50.1 on Ubuntu 16.04
(0005534)
L10N   
2016-12-28 10:43   
Some other checks to create new certificates:
it does NOT work with
- Edge 38 on Windows 10
- Opera 42 on Windows 10
- Vivaldi 1.4 on Windows 10

it works still with
- Firefox 48.0 on Windows 10
(0005569)
L10N   
2018-01-07 08:41   
I filed a bug at Chromium and at Vivaldi a few days ago. Following the answer from Chromium:

    Issue 799246 in chromium: Cannot create a certificate with cacert.org
Absender
    Von: asa… via monorail

Updates:
Components: Internals>Network>Certificate
Status: WontFix

Comment 0000003 on issue 799246 by asanka@chromium.org: Cannot create a certificate with cacert.org
https://bugs.chromium.org/p/chromium/issues/detail?id=799246#c3

This site is using the <keygen> element to generate a keypair. This feature is deprecated. See https://www.chromestatus.com/features/5716060992962560

Attachments:
Screen Shot 2018-01-05 at 4.44.07 PM.png 22.1 KB

--
You received this message because:
1. You reported this issue
(0005570)
L10N   
2018-01-07 08:43   
"Since Chrome 49, <keygen>'s default behaviour has been to return the empty string, unless a permission was granted to this page. Removed in Chrome 57."

"IE/Edge do not support <keygen> and have not indicated public signals to support <keygen>. Firefox already gates <keygen> behind a user gesture, but is publicly supportive of removing it. Safari ships <keygen> and has not expressed public views regarding its continued support."

source: https://www.chromestatus.com/features/5716060992962560
(0005571)
L10N   
2018-01-07 09:03   
Further information at https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen

"Deprecated
This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Avoid using it and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time."
(0005572)
L10N   
2018-01-07 09:49   
Alternatives to <keygen>:
https://w3ctag.github.io/client-certificates/
https://w3ctag.github.io/client-certificates/

Other discussions about alternatives:
https://stackoverflow.com/questions/36350954/html-keygen-alternative-generating-key-pair-in-browser
https://security.stackexchange.com/questions/106257/alternatives-to-htmls-deprecated-keygen-for-client-certs

Further readings:
https://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack
(0005574)
gukk_devel   
2018-01-14 15:03   
https://developer.mozilla.org/de/docs/Web/HTML/Element/keygen
https://productforums.google.com/forum/#%21topic/chrome/FGU6TvIgPY0;context-place=forum/chrome
https://support.comodo.com/index.php?/Knowledgebase/Article/View/475/0/which-browser-can-i-use-to-signup-for-a-email-certificate
(0005575)
bjantzen   
2018-01-14 17:40   
Generating keys still works for me with
Firefox 57.0.4 (64-Bit, Linux) installed in openSUSE Leap 42.3.
(0005576)
L10N   
2018-02-10 10:05   
On Fri, 2 Feb 2018 10:29:41 +1100, Peter Yuill <peter AT NO SPAM c.o.> wrote at CAcert Board List:
I went through the process of generating keys and CSR in openssl then
submitting CSR through the advanced section of “New Certificate” and it
worked perfectly for me (using current Firefox). I have to say it is not a
simple solution and it certainly requires a much higher level of technical
skill than the browser solution, but it does work.

I did some research on possible tools to simplify the process and I have a
proposal. As far as I can see the browser route is dead, so we need to look
elsewhere. I am looking at the possibility of a desktop app that would
generate keys and CSR then connect to the cacert.org <http://cacert.org/>
site through a screen scrape library to submit the CSR and store the
certificate back in a local keystone. The one extra step required is to
import the certificate into browsers/mail clients, which should not be
difficult for most people. I am starting work on a cross-platform proof of
concept which I hope to be able to demonstrate in a few weeks.
(0005585)
dops   
2018-04-18 21:23   
"The browser route is dead" - indeed, so solutions running natively on the platforms are necessary.
A technical discussion thread was started here:
https://lists.cacert.org/wws/arc/cacert-devel/2018-04/msg00000.html

Supporting many platforms can be challenging. Because a simple solution is better than none, I'd prefer to have console-based scripts using on-board tools such as openssl (usually available for UNIX-style systems) or certreq (on standard Windows since many years - Vista?) as a baseline. Automating the CAcert certificate request page is not essential for the simple tool variant, where a graphical, more powerful and comfortable variant can complement it and doesn't need to cover platforms on an equal level or have the same robustness.

For UNIX-style systems I created a shell/openssl based solution as proof-of-concept here:
http://70t.de/download/ , file with pattern cacert_client_certificate_<date>.tar.xz (at time of writing cacert_client_certificate_2018-04-11.tar.xz )

Read more on cacert-devel starting here
https://lists.cacert.org/wws/arc/cacert-devel/2018-04/msg00000.html
(0005587)
RogerCPao   
2018-05-02 23:32   
I tried out cacert_client_certificate_2018-04-09.tar.xz. Thanks for creating it. I have a few suggestions/remarks about it.


A)

Multiple inputs of a passphrase are required:
  1. Unlock the key (from the file generated in the first task)
    -----
  2. Set a passphrase for the new certifcate file
  3. Repeat (confirm) the passphrase from 2. above
Input area (sequence of 3 passphrases): [1. Unlock key password]
Enter Export Password: [2. passphrase for new cert]
Verifying - Enter Export Password: [3. repeat 0000002]

The three numbered items should be explicitly numbered and named in each of the prompts that come after. The first prompt of "Input area (sequence of 3 passphrases): " does not indicate that you are supposed to type on the "passphrase to protect the generated key" when generating the RSA private/public key pair.


B)

If ready, press enter to open the certificate with the browser for import.

[
In the case of Firefox 59.0.2 (64-bit), Ubuntu 16.04.4,
a dialog box will ask
What should Firefox do with this file?
(*) Open with [View file (default]
( ) Save File
[ ] Do this automatically for files like this from now on.
[OK]
Questions about passphrase and labels eventually displays
the certificate details but is not imported. I had to go to Firefox's Certificate Manager and
manually [Import...] the newly created new_certificate_$USER.pfx file.
You will need to unlock the .pfx file with the
"Enter Export Password: [2. passphrase for new cert]" from above.
]
(0005588)
RogerCPao   
2018-05-02 23:35   
Oops. That note should have gone to the mailing list where cacert_client_certificate_2018-04-09.tar.xz was posted. There is no edit/delete.
(0005828)
vmbentley   
2019-09-07 18:22   
It is nearly three years since this issue was raised. Has there been no viable alternative process found for generating client certificates without the deprecated keygen tag?

Would it be possible for someone to write a HowTo guide for manually performing the process on the command line using OpenSSL and putting a corresponding CSR submission form on the website for the server side part of the process.
(0005829)
BarryN   
2019-09-07 19:09   
Could something like this be used?

https://pkijs.org/
(0005830)
BarryN   
2019-09-07 19:14   
Here is an example that uses that code:

https://csrhelp.peculiarventures.com/
(0005831)
BarryN   
2019-09-07 19:18   
Here's another option:

https://www.php.net/manual/en/function.openssl-csr-new.php
(0005833)
Ted   
2019-09-08 12:16   
(Last edited: 2019-09-08 12:16)
As a reply to https://bugs.cacert.org/view.php?id=1417#c5828 there indeed is a workaround for this problem.

If you click the "show advanced options" checkbox you can provide a manually created CSR, which makes the keygen tag obsolete. But the process in not really easy or user friendly. See https://wiki.cacert.org/FAQ/CSR as a starting point if you want to try that way.

(0005834)
Ted   
2019-09-08 12:51   
(Last edited: 2019-09-08 12:52)
I had a (very short!) look at the proposals of BarryN.

https://www.php.net/manual/en/function.openssl-csr-new.php will probably not help us, because this is code that runs on the server. It would not be appropriate for our standards to create a keypair on the server and then send it to the browser, because of the additional risk of compromising the key on the server or during transfer. BTW, this is the reason why CSRs have been invented.

https://pkijs.org/ looks more promising to me. As the provided example shows, the library seems to be able to create a keypair and a corresponding CSR locally in the Browser. If the library uses the key storage of the browser for key generation and therefor does not have access to the private key itself, this may be a valid replacement of the keygen tag, since this is exactly what the tag does.

But, first of all, this assumtion has to be verified by a code review. If the library creates the private key "itself", therefor having access to it, this also imposes the risk that the private key is compromised during the creation process.

Another downer is the sentence "Safari, Edge, and IE do not have complete, or correct implementations of Web Crypto.", which once again leaves a significant portion of the browser market uncovered...

Nevertheless, if there's anyone who would like to give it a try it may be worth to do more research in this direction.

(0005835)
vmbentley   
2019-09-08 13:38   
The 'downer sentence' was from 2015. Almost all browsers are supported now. To see what is and isn't supported visit https://caniuse.com/#feat=cryptography
(0005837)
BarryN   
2019-09-09 16:36   
I thought the java script solution might be the better one. I have tested a few browsers and the basic functionality seems to work. According to the chart the current version of IE, Edge, Chrome, Firefox and Safari all have at least basic support.
(0005857)
Ted   
2020-01-06 11:22   
From a mail on the Support mailing list:

Hallo zusammen,

seht Euch mal die Library PKI.js an. Das ist ein Werkzeugkasten in
Javascript für alle Operationen auf X.509 Zertifikaten. Damit kann man
im Browser erzeugen:

* Keypair
* PKCS#10 CSR
* PKCS#12 File

Das PKCS#12 File muss der User dann nur noch in den Browser importieren.
PKI.js kann deutlich mehr, als das alte <keygen>, damit kann man z.B.
auch EC Keys erzeugen.
(0005895)
L10N   
2020-06-27 13:28   
What's the state of play?
What happened to the app from Peter Y?
What happened to the proof of concept from dops?
What about pkijs.org?
What happened to the Java Script solution?
What about the library PKI.js?

As a technical layman, I do not really understand it. The approaches sounded promising. Were they pursued further?
(0005911)
Felixishim   
2020-10-21 12:27   
same here as L10N here and hoping some type of solution would be soon proposed.
(0005912)
Ted   
2020-10-29 21:31   
(Last edited: 2020-10-29 22:37)
Looking into https://pkijs.org/ once more.

It seems possible to create a web page which could replace the key creation with openssl where openssl is not readily available (like on Windows):
- Create a key pair with the generateKey API
- Create a PKCS10 CSR with a user provided data for CommonName and SubjectAltName using the CertificationRequest class of PKIJS
- Show the PEM encoded request to the user for Copy/Paste
- The user must then paste the CSR into the CAcert web page, and use Copy/Paste to copy the created certificate into the PKIJS-based website
- The PKIJS based website combines key and certificate in a PKCS#12 (*.pfx) structure which can be downloaded by the user

This PKCS#12 structure can be imported into Mozilla's certificate database or into the windows certificate storage.

Of course this also has the potential to be integrated in the CAcert web page, which could eliminate the Copy/Paste operations, but I'd consider that as the second step.

The main problem I see is that the creating script knows the created private key and could easily compromise it (intentionally or unintentionally). This is essentially the same as in an openssl based script, but since the script is loaded on demand from some webserver, as well as several libraries, the potential of fishing-like abuse is IMHO considerably greater...

Nevertheless it could be an easier-to-use variant for Windows users.
(0005913)
dops   
2020-10-29 22:26   
Regarding download: Search engines present solutions for locally creating files for "download". The first link looks like a clean and modern solution, which is also later mentioned behind the 2nd link with a longer history:
https://shinglyu.com/web/2019/02/09/js_download_as_file.html
https://stackoverflow.com/questions/3665115/how-to-create-a-file-in-memory-for-user-to-download-but-not-through-server

So should be promising that all private key related operations can be done locally in the browser.
(0005920)
Ted   
2020-11-29 19:16   
I've tried a "proof of concept" implementation at https://secure.convey.de/publish/ted/TestPKI.html

The PKCS#12 file created there can be parsed by OpenSSL, but neither the Windows Certificate Storage nor Thunderbird/Firefox are able to use it for import... :-(
Probably there's still some research necessary about the details of PKCS#12 creation...
(0005921)
jandd   
2020-11-30 00:01   
I implemented a GPL-2+ licensed proof of concept based on the Forge JavaScript PKI library (https://github.com/digitalbazaar/forge) with a small Go backend using an example openssl CA. The PoC can be found at https://git.dittberner.info/jan/browser_csr_generation and can be built/run using the instructions in the README.md file contained in that repository.

I could import PKCS#12 files created by this PoC project successfully in Firefox and the GNOME keystore (Seahorse).
(0006017)
tim.devries   
2021-06-22 23:02   
My code should be verifiably correct according to outside sources. It should work Everywhere.

Period.

Next.

So try: https://tecreations.ca/java/downloads/release/SecurityTool_User

So that would be: org.cacert.SecurityTool_User IF you understand Java.

Launch it, try, see what happens.

So Far, CACert, doesn't recognize or won't accept, a CSR. The Key has nothing to do with it.


CSR == CERT. Yes/No? What do you think?

If they can sign, if not, I can.


They'd have to 3rd party, accepted 3rd Party Signature.

So, If you need, I will. Accept, Verify, Sign.

All data reference points.

Name:

Locale:

Special Identifiers, #codeSigning, #clientAuth, #serverAuth, #SSO, if you want.
(0006018)
tim.devries   
2021-06-22 23:47   
Ok, hang on, will post when tested: Copy/Paste Link:

https://tecreations.ca/java/downloads/release/signed-cacert.org.jar

GenerateKey, Copy CSR, View Clipboard.

Try That.....
(0006019)
tim.devries   
2021-06-22 23:56   
Oh, there's some kind of problem....

I'll try to repost when I have an answer.

You should be able to:
Download
Unpack to <User.Home>restarted-1\....
Launch org.cacert\SystemTool_User

Generate Key, Copy CSR, View Clipboard....

It doesn't really matter, CA Cert Won't Sign. I can sign, but do you trust me???

I mean c'mon, get real.


Tim
(0006020)
tim.devries   
2021-06-23 00:03   
You may generate valid PEM CSR by using tecreations.ca/java/downloads/release/signed-cacert.org.jar

And Then Clicking "Generate Key", this will create a new private key.

Click "Get CSR" that will copy the CSR to the clipboard, based on your current DistinguishedName parameters. This is to identify you apart from everyone else.

Click "View Clipboard": This should show your current selection, ie, your CSR.

This is what you should paste to CACert.

It currently is NOT WORKING CORRECTLY.

Options are available to VERIFY YOUR SITUATION.

Tim


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1530 [Main CAcert Website] GPG/PGP minor always 2021-06-20 17:17 2021-06-21 18:09
Reporter: jandd Platform: Main CAcert Website  
Assigned To: egal OS: N/A  
Priority: normal OS Version: stable  
Status: needs review & testing Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by:
Test Instructions:
Summary: inconsistent retry behaviour for empty/missing/broken gpg signatures
Description: The signer client handles incomplete/missing gpg signatures differently than X.509 certificates. The database table already has a warning column (tinyint) that is initialized with 0. For X.509 certificates this field is incremented for every failed signing attempt. For OpenPGP this is not the case. They are retried without an abort condition.
Tags:
Steps To Reproduce: Have a signer failure or write some garbage in the CSR file on the webdb system. See the failed gpg signing attempt on every signer loop run (in HandleGPG of CommModule/client.pl).
Additional Information: We have > 100 such failing gpg requests in the production system but none in the test system.
System Description Production version of the CAcert website
Attached Files: 1530_Implement_warning_thresholds_for_OpenPGP.patch (1,991 bytes) 2021-06-20 17:24
http://bugs.cacert.org/file_download.php?file_id=504&type=bug
Notes
(0006015)
jandd   
2021-06-20 17:24   
The attached patch implements the OpenPGP variant of the warning threshold and allows consistent configuration of the threshold for X.509 and OpenPGP.
(0006016)
bdmc   
2021-06-21 18:09   
This solution appears reasonable, and should correct the issue.


View Issue Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1526 [Main CAcert Website] website content major always 2021-05-21 08:13 2021-06-12 21:00
Reporter: alkas Platform: Main CAcert Website  
Assigned To: Ted OS: N/A  
Priority: high OS Version: stable  
Status: ready to deploy Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none Fixed in Version:  
    Target Version:  
Reviewed by: egal, Ted
Test Instructions: https://www.cacert.org/index.php?id=3
Summary: The Class 3 certificate expired, new one not published yet
Description: On the https://www.cacert.org/index.php?id=3 page, the old expired Class 3 certificate is still published.
Users complain.
Tags: Class 3, renew
Steps To Reproduce: Go to https://www.cacert.org/index.php?id=3 and you will see.
Additional Information:
System Description Production version of the CAcert website
Attached Files: CAcert_Class3Root_x14E228.crt (2,224 bytes) 2021-05-21 21:16
http://bugs.cacert.org/file_download.php?file_id=499&type=bug
CAcert_Class3Root_x14E228.der (1,601 bytes) 2021-05-21 21:16
http://bugs.cacert.org/file_download.php?file_id=500&type=bug
CAcert_Class3Root_x14E228.txt (7,540 bytes) 2021-05-21 21:16
http://bugs.cacert.org/file_download.php?file_id=501&type=bug
Bienvenue à CAcert.org.html (8,404 bytes) 2021-05-21 21:49
http://bugs.cacert.org/file_download.php?file_id=502&type=bug
3.php (3,910 bytes) 2021-05-22 07:41
http://bugs.cacert.org/file_download.php?file_id=503&type=bug
Notes
(0006005)
Golffies   
2021-05-21 21:16   
Here is what we need to do, in order to implement the requested change, i.e. replacing on our front webpage the deprecated Class 3 Root certificate with serial number x0E by the new Class 3 Root certificate with serial number x14E228.

1. Replace the related files, hosted on our front webserver, in each of the formats these files are made available (pem, der, text) for downloading the Class 3 Root certificate.


1.1 Remove

1.1.1 Remove the file https://www.cacert.org/certs/class3_X0E.crt
1.1.2 Remove the file https://www.cacert.org/certs/class3_X0E.der
1.1.3 Remove the file https://www.cacert.org/certs/class3_X0E.txt


1.2 Add

1.2.1 Add the file CAcert_Class3Root_x14E228.crt at https://www.cacert.org/certs/
1.2.2 Add the file CAcert_Class3Root_x14E228.der at https://www.cacert.org/certs/
1.2.3 Add the file CAcert_Class3Root_x14E228.txt at https://www.cacert.org/certs/

Note: The files CAcert_Class3Root_x14E228.{crt,der,txt} are attached to the present note.
Note: .der and .txt extensions are self-explanatory; .crt extension has been chosen to be given to the pem format file.


2. Update the HTML source code of the page at <https://www.cacert.org/index.php?id=3>


2.1 Update the hyperlinks to the Class 3 Root certificate


2.1.1 Replace

certs/class3_X0E.crt

by

certs/CAcert_Class3Root_x14E228.crt


2.1.2 Replace

certs/class3_X0E.der

by

certs/CAcert_Class3Root_x14E228.der


2.1.3 Replace

certs/class3_X0E.txt

by

certs/CAcert_Class3Root_x14E228.txt

Note: the change has to be applied on the canvas of the website, in order for the here above explanatory texts, enclosed in the hyperlink, to be displayed in any foreign langage, i.e. the one chosen by the visitor.



2.2 Update the displayed SHA1 and SHA256 fingerprints


2.2.1 Replace

SHA256 fingerprint: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544

by

SHA256 fingerprint: 1BC5 A61A 2C0C 0132 C52B 284F 3DA0 D8DA CF71 7A0F 6C1D DF81 D80B 36EE E444 2869

2.2.2 Replace

SHA1 fingerprint: A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0

by

SHA1 fingerprint: D8A8 3A64 117F FD21 94FE E198 3DD2 5C7B 32A8 FFC8


2.3 Do not update

As far as I know, the link <https://crl.cacert.org/class3-revoke.crl> has to stay untouched.


3. Make the new Class 3 Root certificate with serial number x14E228 used on our backend, in order for our members to be able to make their personal certificates signed by it. This is beyond the scope of this request and has probably already been done otherwise.
(0006006)
egal   
2021-05-21 21:25   
Please download the source-code using https://secure.cacert.org/src-lic.php

Extract the file /cacert/pages/index/3.php and do the changes in HTML-code there and attach this updated file (or diff) to you (next) note regarding this bug so we can do the review ... ;-)

(If I do the changes, it will get complicated to get the necessary two reviews ... ;-( )
(0006007)
Golffies   
2021-05-21 21:49   
And who is going to push the new certificate files into https://www.cacert.org/certs/ ?
(0006008)
alkas   
2021-05-22 07:41   
3.php corrected according to 0001526~0006005 and 0001526~0006006
(0006009)
egal   
2021-05-22 11:30   
(Last edited: 2021-05-22 11:31)
As the diff only shows filename- and fingerprint-changes (and the fingerprints are the correct ones) the review is passed.

But ... as we already published the Class-3-certificate using the name class3_2021.crt I suggest to follow this naming-convention for PEM, DER and TXT-Format, so the diff should be:

$diff
33,35c33,35
<
  • <a href="certs/class3_2021.crt"><?=_("Intermediate Certificate (PEM Format)")?></a>

  • <
  • <a href="certs/class3_2021.der"><?=_("Intermediate Certificate (DER Format)")?></a>

  • <
  • <a href="certs/class3_2021.txt"><?=_("Intermediate Certificate (Text Format)")?></a>

  • ---
    >
  • <a href="certs/class3_X0E.crt"><?=_("Intermediate Certificate (PEM Format)")?></a>

  • >
  • <a href="certs/class3_X0E.der"><?=_("Intermediate Certificate (DER Format)")?></a>

  • >
  • <a href="certs/class3_X0E.txt"><?=_("Intermediate Certificate (Text Format)")?></a>

  • 37,38c37,38
    <
  • <?=_("SHA256 fingerprint:")?> 1BC5 A61A 2C0C 0132 C52B 284F 3DA0 D8DA CF71 7A0F 6C1D DF81 D80B 36EE E444 2869

  • <
  • <?=_("SHA1 fingerprint:")?> D8A8 3A64 117F FD21 94FE E198 3DD2 5C7B 32A8 FFC8

  • ---
    >
  • <?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544

  • >
  • <?=_("SHA1 fingerprint:")?> A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0

  • (0006013)
    Golffies   
    2021-06-09 22:44   
    The reasons for choosing the name CAcert_Class3Root_x14E228.* are as follows:


        CAcert Class3Root x14E228
       |______| |__________| |_______|

          | | |
          | | |
          | | ---> the serial number identifies the
          | | certificate without ambiguity
          | |
          | ---> the full name of the certificate is the one found
          | in the documentation = no ambiguity
          |
           ---> once downloaded, the CA should remain easy to identify
                alphabetically among other files
    (0006014)
    Ted   
    2021-06-12 20:59   
    As discussed in email communication, the naming scheme should be as proposed by @alkas.

    Note that there is no technical reasoning, the idea is simply that the "long" naming scheme better identifies the file's content, for system management as well as for users who'll download the file.

    If possible the files should also be accessible via the link https://www.cacert.org/certs/class3.*, the idea is that there is a fixed link which always points to the currently used class 3 certificate.

    The review is a PASS (for both variants).


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1442 [Main CAcert Website] misc minor N/A 2018-10-20 20:57 2021-06-08 21:42
    Reporter: Ted Platform: Default  
    Assigned To: GuKKDevel OS: any  
    Priority: high OS Version: any  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: duplicate  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Rewrite code to use ext/mysqli API (or PDO_MySQL) instead of ext/mysql
    Description: As reported by Wytze in https://wiki.cacert.org/AGM/TeamReports/2018 :

    [...] An upgrade to Debian Stable is not possible with the current PHP code base, due to its dependency on an obsolete mySQL database interface layer, which is not supported anymore in the PHP version bundled with Debian Stretch, the current Debian Stable.

    Without the ability to upgrade the application platform to a well-maintained version of Debian, the Critical System Administrator Team will be unable to take responsibility in the near future for the safe and correct operation of CAcert's main server, the web application and database server.
    Tags:
    Steps To Reproduce:
    Additional Information: Currently ext/mysql is used. A look at https://secure.php.net/manual/en/mysqlinfo.api.choosing.php seems to imply that ext/mysqli is more closely related to ext/mysql than the alternative PDO_MySQL.

    If you think that migrating to PDO_MySQL is less work, you're welcome to do it, I've no strong feelings about this.
    System Description Default profile.
    Attached Files: origin_release (88,558 bytes) 2018-10-26 17:56
    http://bugs.cacert.org/file_download.php?file_id=433&type=bug
    origin_bug-1260 (71,163 bytes) 2018-10-26 17:56
    http://bugs.cacert.org/file_download.php?file_id=434&type=bug
    diff-release-bug1442 (361,098 bytes) 2018-10-30 22:19
    http://bugs.cacert.org/file_download.php?file_id=435&type=bug
    diff-bug-1442-newTarballs (9,392 bytes) 2018-10-31 06:09
    http://bugs.cacert.org/file_download.php?file_id=436&type=bug
    Notes
    (0005615)
    GuKKDevel   
    2018-10-26 17:56   
    I did a text-check for "mysql_" on the CAcert-devel-directory with release checked out and a text-check for "mysqli_" with bug-1260 checked out.
    (0005618)
    Ted   
    2018-10-28 21:41   
    We re-open this and use this case to handle only the mysql migration part of 0001260
    (0005624)
    GuKKDevel   
    2018-10-30 22:19   
    I did some coding. all mysql_-statements replaced by the according mysqli_-statements.
    (0005626)
    GuKKDevel   
    2018-10-31 06:09   
    adding files from new tarballs
    (0005685)
    Ted   
    2018-11-18 14:45   
    GuKK, I noticed two typos:
    - includes/notary.inc.php line 1202: mmysqli_query should probably start with only one "m"
    - scripts/58at-ate-wien-mail.php.txt line 117: dto.
    (0005689)
    Ted   
    2018-11-26 22:48   
    bug-1442 is merged into branch the integration branch (resulting in branch test-1442) for testing. Currently test-1442 is installed on both, old and new, testservers (https://test.cacert.org/ and https://test3.cacert.org:14943/)

    Note that test3 is not yet completely installed, so it's more for playing around. Test reports from test.cacert.org are welcome!
    (0006012)
    Ted   
    2021-06-08 21:42   
    The System Admin console whas mostly broken, all actions which did write in table AdminLog did not work.

    I located the problem in includes/notary.inc.php, function write_se_log. I'm not sure how this could happen (@GuKKDevel, maybe you can have a look?), but in fact an undefined function g() was called...

    Comitted the fix as bd240d31200c621c0c16381bd99b47b9b1a8d45c to bug-1442


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1529 [Main CAcert Website] certificate issuing minor have not tried 2021-06-01 07:20 2021-06-01 07:20
    Reporter: alkas Platform: Default  
    Assigned To: OS: any  
    Priority: normal OS Version: any  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Wiki: "Overview of CAcert Roots and Subroots" needs update for renewed Class3
    Description: On the Wiki page
    https://wiki.cacert.org/Roots/StateOverview
    there is no entry for the renewed Class3.
    Tags: Class 3, Overview, roots, subroots
    Steps To Reproduce: See the page
    https://wiki.cacert.org/Roots/StateOverview
    Additional Information:
    System Description Default profile.
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1449 [Main CAcert Website] source code feature always 2018-11-11 19:02 2021-05-31 12:27
    Reporter: bdmc Platform:  
    Assigned To: bdmc OS:  
    Priority: high OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Move configuration from code to external file
    Description: Extract items that control operation of CAcert web site from source code into a file external to the web site.

    As Peter M. suggested, I am creating a file to contain a set of PHP define statements. These defines will allow changes to the operation of the web site.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005667)
    bdmc   
    2018-11-14 03:40   
    Here is a crude implementation of a configuration file. It should be named "config.php" and placed in the directory above "www" in the CAcert web site source tree.

    <?php
    /*
        LibreSSL - CAcert web application
        Copyright (C) 2004-2018 CAcert Inc.

        This program is free software; you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation; version 2 of the License.

        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
        GNU General Public License for more details.

        You should have received a copy of the GNU General Public License
        along with this program; if not, write to the Free Software
        Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
    */

    define("PROD_STATE", "prod");

    define['MCONN_HOST', "127.0.0.1");
    define['MCONN_USER', "username");
    define['MCONN_PASS', "password");

    define('NORMALHOSTNAME', "www.cacert.org" );
    define('SECUREHOSTNAME', "secure.cacert.org" );
    define('TVERIFY', "tverify.cacert.org" );

    define('TEST_EMAIL_TO', "brianmccullough@cacert.org");
    (0005668)
    GuKKDevel   
    2018-11-14 14:02   
    I don't think, this bug blocks bug 1260
    (0005672)
    bdmc   
    2018-11-14 17:59   
    I'm sorry. I don't understand. This bug is a child of bug 1260, and is intended to contribute to its correction.
    (0005676)
    Ted   
    2018-11-15 20:39   
    I agree GuKK that this issue is a nice-to have.
    It is not needed for the migration to the new PHP version, in fact, it is quite independent from it.

    Seperating code from configuration information is preferred from a theoretical (or call it "aestethic") point of view, but the code as it is now will not pose any problems on PHP 7, or am I overlooking something?

    IMHO your proposal also does not really improve the situation, since it is still implemented as a PHP file, which may be looked on as "code". If I understood Jan correctly, he'd prefer to have a plain text file to hold configuration information, like an *.INI file used on windows. And this is how I also think about this topic.

    So I'd propose to remove the dependency on 0001260, and maybe lower the priority of this issue.
    (0005679)
    bdmc   
    2018-11-15 23:58   
    The solution shown here was intended as an interim change that was only part way toward the "correct" solution. It is expected to be replaced with an INI-file solution, but is a way to begin to remove sensitive information from the regular source tree. The config.php file was not expected to be added to the source code stored in the repository.
    (0005722)
    bdmc   
    2019-01-02 06:16   
    I have created a VM for myself to allow me to test code, in particular this, and have made progress with a proper Config class. More news to come.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1260 [Main CAcert Website] source code block always 2014-03-19 10:39 2021-05-31 12:27
    Reporter: BenBE Platform:  
    Assigned To: BenBE OS:  
    Priority: urgent OS Version:  
    Status: needs work Product Version: 2014 Q1  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2014 Q2  
    Reviewed by:
    Test Instructions:
    Summary: Make the source compatible with recent PHP versions
    Description: Make the source run at least with PHP 5.5 or more recent
    Tags:
    Steps To Reproduce:
    Additional Information: Current source presented by General Failure.
    Attached Files:
    Notes
    (0004872)
    wytze   
    2014-06-26 14:36   
    Just some samples of running against PHP 5.4 from Debian Wheezy:

    HP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/includes/lib/general.php on line 35, referer: https://cacert2.it-sls.de/index.php
    PHP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/includes/lib/general.php on line 37, referer: https://cacert2.it-sls.de/index.php
    PHP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/www/index.php on line 254, referer: https://cacert2.it-sls.de/index.php?id=4
    PHP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/www/index.php on line 255, referer: https://cacert2.it-sls.de/index.php?id=4
    PHP Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in /www/www/verify.php on line 104
    PHP Notice: Undefined index: oldlocation in /www/www/index.php on line 336, referer: https://cacert2.it-sls.de/index.php?id=4

    Even with PHP 5,3 on Debian Squeeze, there are already quite some warnings generated:

    PHP Deprecated: Function ereg() is deprecated in /www/www/gpg.php on line 461, referer: https://secure.cacert.org/gpg.php?id=0
    PHP Deprecated: Function ereg() is deprecated in /www/www/gpg.php on line 465, referer: https://secure.cacert.org/gpg.php?id=0
    PHP Deprecated: Function ereg() is deprecated in /www/www/gpg.php on line 483, referer: https://secure.cacert.org/gpg.php?id=0
    PHP Fatal error: Call to undefined function GetY() in /www/www/capnew.php on line 1011
    PHP Fatal error: Call to undefined function GetY() in /www/www/capnew.php on line 1011, referer: http://wiki.cacert.org/Assurance/CustomizedCAP/DE
    PHP Fatal error: Call to undefined method CAPPDF::AddSJISFont() in /www/www/capnew.php on line 1603
    PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-16384 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://www.cacert.org/account.php
    PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-2432 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://www.cacert.org/account.php
    PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-3072 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://secure.cacert.org/account.php
    PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-3096 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://secure.cacert.org/account.php
    PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-5024 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://www.cacert.org/account.php
    PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-8092 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://secure.cacert.org/account.php?id=10
    PHP Warning: checkDebianVulnerability(): /usr/share/openssl-blacklist/blacklist.RSA-8192 is not readable. Unsupported key size? in /www/includes/lib/check_weak_key.php on line 335, referer: https://www.cacert.org/account.php?id=5
    PHP Warning: DOMDocument::load(): CData section not finished\n

    <code>German version below</code>

    \n

    There in /www/pages/index/feed.rss, line: 350 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): CData section not finished\n

    [Translations Dutch, German and Spanish see bel in /www/pages/index/feed.rss, line: 89 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Document is empty in /www/pages/index/feed.rss, line: 1 in /www/pages/index/0.php on line 41, referer: https://secure.cacert.org/account.php?id=5
    PHP Warning: DOMDocument::load(): Premature end of data in tag channel line 11 in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag creator line 197 in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag encoded line 231 in /www/pages/index/feed.rss, line: 350 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag encoded line 73 in /www/pages/index/feed.rss, line: 89 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag item line 192 in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag item line 212 in /www/pages/index/feed.rss, line: 350 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag item line 58 in /www/pages/index/feed.rss, line: 89 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag rss line 2 in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag rss line 2 in /www/pages/index/feed.rss, line: 350 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Premature end of data in tag rss line 2 in /www/pages/index/feed.rss, line: 89 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Start tag expected, '<' not found in /www/pages/index/feed.rss, line: 1 in /www/pages/index/0.php on line 41
    PHP Warning: DOMDocument::load(): Unregistered error message in /www/pages/index/feed.rss, line: 197 in /www/pages/index/0.php on line 41
    PHP Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /www/includes/general.php on line 82, referer: https://secure.cacert.org/account.php
    PHP Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /www/includes/general.php on line 87, referer: https://secure.cacert.org/account.php
    PHP Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /www/includes/loggedin.php on line 46, referer: https://secure.cacert.org/account.php
    PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /www/includes/general.php on line 618, referer: https://www.cacert.org/account.php
    PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /www/includes/lib/general.php on line 41, referer: https://secure.cacert.org/account.php
    PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /www/includes/notary.inc.php on line 1291, referer: https://secure.cacert.org/account.php?id=50&userid=297249&csrf=25635229e752b5c92cadbb0eefb455ec&ticketno=a20140322.1
    PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /www/www/index.php on line 140, referer: https://www.cacert.org/index.php?id=5

    (0004925)
    felixd   
    2014-08-08 23:38   
    I have commits that are suitable for the "ereg" and "Undefined index: oldlocation" errors.

    https://github.com/yellowant/cacert-devel/commits/bug-1260


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1527 [Main CAcert Website] certificate issuing major always 2021-05-21 13:58 2021-05-24 16:29
    Reporter: alkas Platform: Default  
    Assigned To: OS: any  
    Priority: high OS Version: any  
    Status: confirmed Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Debian package needs to be upgraded
    Description: Debian package ca-cacert (2019.0411-2) needs to be upgraded!
    (file ca-cacert_2019.0411-2_all.deb)
    Tags: ca-cacert, class3, debian-package
    Steps To Reproduce: 1. Download the file via https://packages.debian.org/sid/ca-cacert
    2. Unpack the file, locate CAcert roots
    3. Serial # of class3 is 0E. (and root - #0F is OK)
    4. Serial # of class3 should be 14E228.
    Additional Information:
    System Description Default profile.
    Attached Files:
    Notes
    (0006004)
    jandd   
    2021-05-21 16:59   
    @alkas the Debian package is not maintained by CAcert, please file a bug report against the Debian package using

    reportbug ca-cacert
    (0006010)
    alkas   
    2021-05-22 12:25   
    Already submitted:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988512
    contains:
    Debian Bug report logs - #988512
    ca-cacert: class3 certificate will expire soon (on May 20 17:48:02 2021 GMT)
    version graph
    Package: ca-cacert; Maintainer for ca-cacert is Dmitry Smirnov <onlyjob@debian.org>; Source for ca-cacert is src:ca-cacert (PTS, buildd, popcon).
    Reported by: Johannes Schulz <js@mailplus.co.at>
    Date: Fri, 14 May 2021 13:03:02 UTC
    Severity: normal
    Tags: patch
    Found in version ca-cacert/2019.0411-2
    From: Johannes Schulz <js@mailplus.co.at>
    To: Debian Bug Tracking System <submit@bugs.debian.org>
    Subject: ca-cacert: class3 certificate will expire soon (on May 20 17:48:02 2021 GMT)
    Date: Fri, 14 May 2021 14:58:33 +0200

    Package: ca-cacert
    Version: 2019.0411-2
    Severity: normal
    Tags: patch
    (...)
    Dear Maintainer,

    `openssl x509 -noout -enddate -in /usr/share/ca-certificates/CAcert/class3_X0E.crt`
    says: notAfter=May 20 17:48:02 2021 GMT

    cacert has recently issued a replacement which can be downloaded here:
            https://www.cacert.org/class3.crt

    See also http://blog.cacert.org/2021/05/re-signed-class-3-certificate-take-
    action-now/

    Please put the new certificate in the package.
    (...)
    (0006011)
    dops   
    2021-05-24 16:29   
    A debian bug is already filed as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988512 . (As Debian packages must be signed by Debian people, CAcert can't provide this directly.)

    Any Debian developer around?


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1528 [Main CAcert Website] website content major always 2021-05-23 08:08 2021-05-23 08:08
    Reporter: alkas Platform: Default  
    Assigned To: OS: any  
    Priority: normal OS Version: any  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Fingerprints of the renewed Class 3 Root should be updated also in CAP forms
    Description: Fingerprints of the renewed Class 3 Root should be updated also in CAP forms
    Tags: CAP, class3, fingerprints
    Steps To Reproduce: Log in www.c.o, go to CAP forms, and download one.
    Additional Information:
    System Description Default profile.
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1517 [Main CAcert Website] website content feature always 2021-04-21 20:25 2021-05-11 19:30
    Reporter: jandd Platform: Main CAcert Website  
    Assigned To: egal OS: N/A  
    Priority: high OS Version: stable  
    Status: solved? Product Version:  
    Product Build: Resolution: fixed  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: egal, Ted
    Test Instructions:
    Summary: Rewrite Rules for new class3 certificate
    Description: The new class3 certificate that has been issued on Monday 2021-04-19 contains the following URLs that need to be mapped on the main CAcert.org website:

    CRL URI: https://www.cacert.org/class3.crl
    CA Issuers: http://www.CAcert.org/class3.crt

    The first URL should be mapped to https://crl.cacert.org/class3-revoke.crl and the certificate itself should be made available as http://www.cacert.org/class3.crt.

    Please add the following RewriteRule in the https VirtualHost:

    Rewrite "^/class3.crl$" "/class3-revoke.crl" [PT]

    Please put the certificate cacert_2021.crt as class3_2021.crt into the $DOCUMENT_ROOT/certs folder and add the following RewriteRule in the http VirtualHost

    Rewrite "^/class3.crt$" "/certs/class3_2021.crt" [PT]
    Tags:
    Steps To Reproduce:
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    Notes
    (0005988)
    egal   
    2021-04-25 11:18   
    (Last edited: 2021-04-25 11:18)
    Tested in my test environment, Review successful
    (0005995)
    Ted   
    2021-05-09 10:03   
    (Last edited: 2021-05-09 18:55)
    Hmm, this is a pure config change, so maybe Software Development is (IMHO) not the ideal department to review it... But as we don't have any alternatives I'd agree that a review by Software Development is better than none.

    I have not evaluated the necessities of this change, but Jan's proposals sound plausible.

    I did not find a "Rewrite" directive in the Apache documentation at http://httpd.apache.org/docs/current/mod/mod_rewrite.html , so I have nothing to review this proposal against. In this context, the review is a FAIL.

    Assuming that I did overlook something and "Rewrite" is indeed some alias or abbreveation for the directive "RewriteRule", the rules are sensible, including the [PT] ("Passthrough") flag. For clarity it might be better to explicitly add the L ("last") flag, which is implied by [PT], so I'd propose to make it "[L,PT]" instead. But I don't consider this as critical.

    Evaluation of the flags was based on Apache's documentation at https://httpd.apache.org/docs/2.4/rewrite/flags.html
    (0005998)
    egal   
    2021-05-10 17:03   
    (Last edited: 2021-05-10 17:04)
    The following rules are already active on www.cacert.org to redirect CRL-requests:

      Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl
      Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl

    So we could avoid adding new redirection for CRL and/or CSR and simply use the existing ones.

    But ... we shouldn't forget to change https://www.cacert.org/index.php?id=3 to link to the new certificate
    (0006000)
    jandd   
    2021-05-11 07:04   
    @egal the existing ones do not cover the URLs mentioned in the new class3 certificate

    CRL URI: https://www.cacert.org/class3.crl
    CA Issuers: http://www.CAcert.org/class3.crt

    We need to make the CRL and certificate available at these places to allow validation by clients that use these certificate fields for discovery.

    @Ted you are right. It should be RewriteRule instead of Rewrite and [L,PT] is a good idea indeed
    (0006001)
    Ted   
    2021-05-11 07:11   
    So, for the "RewriteRule" directive this is a PASS from me.
    (0006002)
    egal   
    2021-05-11 08:33   
    No objection from my site
    (0006003)
    egal   
    2021-05-11 19:29   
    (Last edited: 2021-05-11 19:30)
    Added

      RewriteRule "^/class3.crl$" "/class3-revoke.crl" [L,PT]
      RewriteRule "^/class3.crt$" "/certs/class3_2021.crt" [PT]

    to all VirtualHosts in cacert.conf (after making a backup of original file).

    Installed resigned class3-certificate as

      class3_2021.crt

    Restarted Apache and verified downloads (successfully)


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1498 [Main CAcert Website] certificate issuing major always 2020-11-18 18:34 2021-05-11 08:57
    Reporter: alkas Platform: Default  
    Assigned To: OS: any  
    Priority: high OS Version: any  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Mail notices about downloading issued certs contains old roots' fingerprints
    Description: Here is an example:
    ---
    Hi Support,

    You can collect your certificate for kristen.lss.ie by going to the following location:

    https://www.cacert.org/account.php?id=15&cert=814814

    If you have not imported CAcert's root certificate, please go to:
    https://www.cacert.org/index.php?id=3
    Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
    Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

    Best regards
    CAcert.org Support!
    ---
    The "root cert fingerprints" do not agree with those published on the CAcert web (roots page), they are probably old ones.
    Tags: certificates
    Steps To Reproduce: See the example. It was captured today, 20201118, still 20210501
    Additional Information:
    System Description Default profile.
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1499 [Main CAcert Website] certificate issuing feature N/A 2020-12-25 08:55 2021-04-25 11:15
    Reporter: jandd Platform: Main CAcert Website  
    Assigned To: Ted OS: N/A  
    Priority: normal OS Version: stable  
    Status: solved? Product Version:  
    Product Build: Resolution: fixed  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: egal
    Test Instructions: Apply the described procedures on a test system.
    Summary: Resign class3 CA certificate before May 2021
    Description: The current class3 CA certificate expires in May 2021. It should be renewed before expiry.
    Tags: certificates, signer
    Steps To Reproduce:
    Additional Information: instructions for renewal an a matching OpenSSL configuration file are attached to this ticket. Additional issues should be filed for adapting WebDB, Mail templates, marketing material, monitoring and other places.

    The signer has openssl 0.9.8o and tests should be performed using an equally old version.
    System Description Production version of the CAcert website
    Attached Files: README.md (11,968 bytes) 2020-12-25 08:55
    http://bugs.cacert.org/file_download.php?file_id=488&type=bug
    sign_class3_ca.cnf (1,933 bytes) 2020-12-25 08:55
    http://bugs.cacert.org/file_download.php?file_id=489&type=bug
    Notes
    (0005948)
    jandd   
    2021-01-31 11:26   
    please review the attached README and openssl configuration
    (0005985)
    egal   
    2021-04-17 18:08   
    The process could be processed as described, but with the following change:

    No files should be copied TO the signer machine.

    Therefore:
    The existing signature-config should be copied on the signer to the new name and modified to match the content the config-attached to this bug.
    (0005986)
    egal   
    2021-04-25 11:12   
    The new certificate was created during the visit at BIT datacenter on 2021-04-19.

    It's now in testing (e.g. installed) on our (internal) environment/servers.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1438 [Main CAcert Website] certificate issuing minor always 2018-04-17 15:24 2021-04-25 11:15
    Reporter: wytze Platform: Default  
    Assigned To: egal OS: any  
    Priority: normal OS Version: any  
    Status: solved? Product Version: 2017 Q4  
    Product Build: Resolution: fixed  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2017 Q4  
    Reviewed by: egal, Ted
    Test Instructions: See Steps To Reproduce
    Summary: CRLs published by CAcert do not contain the field "CRL number"
    Description: EBS EDI-Support <EDI-Support@eon.com> reported on April 16, 2018:

    the CRL which you are publishing at URL "http://crl.cacert.org/revoke.crl" is missing the field "CRL number".
    Therefore some applications might not validate the CRL correctly. Please add this field to the CRL. Thank you.
    Tags: certificates
    Steps To Reproduce: $ wget http://crl.cacert.org/revoke.crl
    $ openssl crl -in revoke.crl -inform der -noout -text -crlnumber | head

    Something like this will appear:
    crlNumber=<NONE>
    Certificate Revocation List (CRL):
            Version 2 (0x1)
        Signature Algorithm: sha512WithRSAEncryption
            Issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
            Last Update: Apr 17 14:28:54 2018 GMT
            Next Update: Apr 24 14:28:54 2018 GMT
    Revoked Certificates:
        Serial Number: 11
            Revocation Date: Apr 1 14:25:08 2003 GMT

    The crlNumber=<NONE> shows the problem.
    Additional Information: According to RFC 5280 (May 2008), section 5.2:
       Conforming CRL issuers are REQUIRED to include the authority key
       identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
       extensions in all CRLs issued.

    The same requirement was already present in the predecessor of this RFC, namely RFC 3280 from April 2002, so it is somewhat surprising that this was never implemented in the CAcert signer.

    This can be fixed by adding the crlnumber field to the openssl profile used on the CAcert signer for generating CRLs. The openssl software used for this is capable of maintaining a serial number per CRL in a separate text file, see the documentation for 'openssl ca'.
    System Description Default profile.
    Attached Files: diff-openssl (588 bytes) 2018-05-29 10:02
    http://bugs.cacert.org/file_download.php?file_id=423&type=bug
    diff-class3 (586 bytes) 2018-05-29 10:02
    http://bugs.cacert.org/file_download.php?file_id=424&type=bug
    revoke.crl (332,445 bytes) 2018-06-06 09:29
    http://bugs.cacert.org/file_download.php?file_id=425&type=bug
    class3-revoke.crl (331,946 bytes) 2018-06-06 09:29
    http://bugs.cacert.org/file_download.php?file_id=426&type=bug
    testresult (958 bytes) 2018-06-06 10:51
    http://bugs.cacert.org/file_download.php?file_id=427&type=bug
    revoke-2.crl (332,445 bytes) 2018-06-07 21:03
    http://bugs.cacert.org/file_download.php?file_id=428&type=bug
    class3-revoke-2.crl (331,946 bytes) 2018-06-07 21:03
    http://bugs.cacert.org/file_download.php?file_id=429&type=bug
    testresult-2 (1,820 bytes) 2018-06-07 21:14
    http://bugs.cacert.org/file_download.php?file_id=430&type=bug
    diff-crlnumber-CA (132 bytes) 2018-06-13 22:10
    http://bugs.cacert.org/file_download.php?file_id=431&type=bug
    diff-crlnumber-class3 (132 bytes) 2018-06-13 22:10
    http://bugs.cacert.org/file_download.php?file_id=432&type=bug
    diff_Old_New (3,820 bytes) 2018-11-10 12:40
    http://bugs.cacert.org/file_download.php?file_id=447&type=bug
    diff_Old-Prod_Old-Test (2,686 bytes) 2018-11-10 12:40
    http://bugs.cacert.org/file_download.php?file_id=448&type=bug
    diff_New-Prod_New-Test (2,894 bytes) 2018-11-10 12:40
    http://bugs.cacert.org/file_download.php?file_id=449&type=bug
    Notes
    (0005584)
    wytze   
    2018-04-17 15:36   
    This can be tested with the signer installed on test.cacert.org.
    (0005591)
    GuKKDevel   
    2018-05-29 09:57   
    as the revoke-request only uses one configfile for each rootcert for creating the CRL, only those two have to be changed.
     
    (0005592)
    GuKKDevel   
    2018-05-29 10:02   
    Also must in each cert-directory (/etc/ssl/CA and /etc/ssl/class3) a file named crlnumber be created including a four digit number (echo 1000 > crlnumber)
    (0005593)
    egal   
    2018-06-06 09:29   
    Expected test is not possible as test.cacert.org will redirect the CRL-download to Live-System.

    Test is only possible by accessing the test-server directly to get the CRLs for our test-environment.

    As this is not possible for testers, I added the created CRLs for today (2018-06-06) to this bug, so a tester may check the existence of the missing CRLNumber.

    In the next days I'll add another CRL-set so a tester can run its tests.
    (0005596)
    GuKKDevel   
    2018-06-06 10:51   
    tested: revoke.crl -> crlNumber=1249 (hex) -> X509v3 CRL Number: 4681 (dec)
    tested: class3-revoke.crl -> crlNumber=010008 (hex) -> X509v3 CRL Number: 65544 (dec)

    looks ok to me
    (0005598)
    egal   
    2018-06-07 21:03   
    Second set of CRLs as of today (2018-06-07).
    (0005599)
    GuKKDevel   
    2018-06-07 21:14   
    works for this CRL's also
    (0005600)
    Ted   
    2018-06-13 20:44   
    I just did some review of the proposed changes.

    The modification of the config files is ok, according to OpenSSL documentation, as well as according to tests I did in another environment.

    But for installation, a file containing the initial CRL number (probably 01 or 0100 or something similar) must be installed together with the change in the config file, otherwise the config option is ignored.

    ==> The diffs should include the "crlnumber" file with a convenient initial number

    ==> The current review status from me is FAILED
    (0005655)
    Ted   
    2018-11-05 21:53   
    I modified the openssl config files for all client certificates, so the testserver is CRL Distribution Point.

    Sadly, for server certificates the CRL Distribution Point is hardcoded in server.pl, and I don't wand to change that without urgent need.
    (0005661)
    GuKKDevel   
    2018-11-10 12:40   
    As stated in https://bugs.cacert.org/view.php?id=1438#c5591 while revoking only two of the configurationfiles are used (openssl-client.cnf and class3-client.cnf).
    Therefor for this issue only those two were to change. Also the necessary file crlnumber in the responding subdirectorys were to add.

    attached diff: diff_Old-New

    control if production and test are congruent:
    diff_Old-Prod_Old-Test and diff_New-Prod_New-Test
    (0005664)
    Ted   
    2018-11-12 19:43   
    Hmm, the code in server.pl does not restrict revocations on those two specific configurations, but client.pl does only request those two.

    I'm tending towards making all configurations fit to be used for revocation, just to be on the safe side, but I'm not really decided yet...
    (0005975)
    egal   
    2021-04-05 17:55   
    reviewed the configuration change successfully:

    I don't have any objection adding these parameters to signer-configuration for two (or all) used root certificates
    (0005977)
    Ted   
    2021-04-11 12:57   
    I reviewed diff_Old_New once more, and now it is a PASS from me.
    (0005987)
    egal   
    2021-04-25 11:13   
    Patch installed on signer, new CRLs now contain a serial number


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1440 [Main CAcert Website] source code block N/A 2018-05-24 21:33 2021-04-13 10:09
    Reporter: GuKKDevel Platform:  
    Assigned To: Ted OS:  
    Priority: immediate OS Version:  
    Status: ready to deploy Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: egal, Ted
    Test Instructions:
    Summary: link to EU-EEA-DataProtectionDeclaration
    Description: we need a link to the EU-EEA-DataProtectionDeclaration
    Tags: legal requirement
    Steps To Reproduce:
    Additional Information:
    Attached Files: diff-bug-1440-bug-1440 (1,000 bytes) 2018-10-31 23:34
    http://bugs.cacert.org/file_download.php?file_id=438&type=bug
    Notes
    (0005590)
    GuKKDevel   
    2018-05-24 21:55   
    https://github.com/CAcertOrg/cacert-devel/compare/release...GuKKDevel:bug-1440
    (0005623)
    Ted   
    2018-10-30 20:27   
    The target link is https://wiki.cacert.org/Privacy/EU-EEE-DataProtectionDeclaration

    The pages in the WiKi were created by Etienne, with some help of others.

    I asked Megan (our current Privacy Officer) for a statement, she confirmed that at least the english text is acceptable.

    Sent a Mail to Etienne asking about the current status, and his opinion on access restrictions on these pages.
    (0005625)
    Ted   
    2018-10-30 22:23   
    (Last edited: 2018-10-30 22:23)
    The fix is now installed on https://test.cacert.org and ready for testing.

    (0005627)
    GuKKDevel   
    2018-10-31 06:54   
    did a short test.
    irritating is that a certificate is asked for.
    after giving one - connected with an account- , I am logged in to the wiki and the page is shown

    cancel the certificate question the wikipage is shown

    question:
    can we at a later time integrate this pages into our online-directory?
    or at least is the writing access to this wikipages restricted?
    (0005629)
    GuKKDevel   
    2018-10-31 13:43   
    tested with kubuntu 18.04 and firefox.
    same behavior with win10 and chrome
    same behavior with win10 and opera

    different behavior win10 and firefox there was no question for certificate
    (0005630)
    L10N   
    2018-10-31 22:59   
    tested with Vivaldi 2.0 on Lubuntu 16.04 LTS
    it tells something about invalid certs, if I accept to proceed to an unsure site it works.
    If Vivaldi works this way, Chrome and Chromium will probabely as well.
    (0005631)
    L10N   
    2018-10-31 23:12   
    Can the text of the link be changed from EU-EEE-DataProtectionDeclaration to EU-EEA-DataProtectionDeclaration?
    (This is a typo in the wiki URL, as EEA is the European Economic Area) - apperas the text on pootle and can be corrected an translated there?
    (0005632)
    GuKKDevel   
    2018-10-31 23:34   
    did the source change
    (0005639)
    Golffies   
    2018-11-02 10:07   
    Test report:

    1. Tested URL: https://test.cacert.org

    2. Hyperlink to GDPR visible in the footer of the main page with the label "EU-EEE-DataProtectionDeclaration".

    3. Clicking on that link opens in the same window the page titled "PrivacyEU-EEE-DataProtectionDeclaration".
    That page lists 7 languages, whom 4 of them make actually a GDPR declaration available.

    4. Clicking on "english" opens in the same window the page titled "Data Protection Declaration for Users in EU & EEA". That page actually contains a declaration of CACert in regards of its users' rights and CACert's obligations under the general data protection regulation.

    5. Coming back to the page titled "Data Protection Declaration for Users in EU & EEA" and then clicking on "česky" or "deutsch" directs in a similar way to the same declaration translated into theses respective languages.

    6. Coming back to the page titled "Data Protection Declaration for Users in EU & EEA" and then clicking on "italiano" directs in a similar way to the same declaration partially translated into Italian, part of the declaration being displayed in English still.

    7. Coming back to the page titled "Data Protection Declaration for Users in EU & EEA" and then clicking on "Български" or "français" or "nederlands" directs to empty pages (populated either by the generic message "This page does not exist yet." either by a message "translation to be completed").

    8. Conclusion : the patch works like it should work. Additional work have to be done for completing translations of the GDPR declaration, but this is not what the patch is involved in.

    9. Tested with Firefox Quantum 63.


    Miscellaneous : that test report was written as a matter of exercise for me, in order to find in the future a trade-off between the quality of software testing required by CACert's policy and the quantity of work it requires from tester. Here, it might happen that the amount of paperwork coming with the patch acceptance far exceeds the quantity of work for writing the patch itself.

    May it be enough for a second confirmation test by someone else to states that the same behaviour would have been observed, without more details? I hope so, in order to save time of the next tester.
    (0005640)
    GuKKDevel   
    2018-11-02 11:02   
    if the new diff (https://bugs.cacert.org/view.php?id=1440#c5632; EU-EEE-DataProtectionDeclaration to EU-EEA-DataProtectionDeclaration) is installed, the wiki-page(s) must be renamed:
    PrivacyEU-EEE-DataProtectionDeclaration to PrivacyEU-EEA-DataProtectionDeclaration
    (0005656)
    L10N   
    2018-11-05 23:43   
    The following links are now changed:
    https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration
    https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/CZ
    https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/DE
    https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/EN
    https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/FR
    https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/NL
    https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/IT
    including the internal links on the top of each page.
    (0005659)
    GuKKDevel   
    2018-11-06 10:54   
    L10N proposed to solve bug-1423 i the same test as bug-1440;

    Wenn du gerade den Datenschutzlink auf der Cacert.org Seite änderst,
    könntest du gleich eine Zeile darüber bei de Sponsorenlogos beim Open
    Network Architecture Logo den Link zu
    http://www.openarchitecturenetwork.org/ entfernen?

    Das Netzwerk existiert nicht mehr und der Link wird zu einer Bank in
    Singapur umgeleitet, zu der CAcert keine Beziehung hat. Somit wäre
    https://bugs.cacert.org/view.php?id=1423 auch gerade gelöst.

    The branch is created and updated
    (0005839)
    sss   
    2019-09-21 15:44   
    tested on:
    mozilla firefox 69.0.
    i do not have wiki account yet.
    certificate requested on click (but looks like it does not requested anymore after i logged in to mantis).
    i do not see problem in certificate requesting, but if anonymous access to this page must be provided, in case of not providing login certificate page should be displayed too.
    (0005840)
    sss   
    2019-09-21 15:46   
    i have logged out from mantis and retry test, certificate does not requested anymore.
    (0005841)
    sss   
    2019-09-21 15:48   
    certificate requested again after browser restart, page works in both cases:
    1. if i provide login certificate
    2. if i decline and does not provide login certificate
    (0005842)
    SaT   
    2019-09-21 18:18   
    Tested with FF 69.0 (64 bit) on Linux Mint 19.2. I have a Wiki account.
    I startet FF and clicked the link, got a client certi dialog. I pressed ESC and got to the Wiki. Clicked "deutsch" and got to Datenschutzerklärung without more client cert dialog.
    I restarted FF and clicked the link, this time I chose my certificate and got into the Wiki (login successful).
    I restart FF a third time and opened the link as HTTP. The Wiki link is HTTPS, so it will always request a client cert.

    I'm ok with this behaviour (as the privacy declaration can be accessed without certificate).
    You could improve it only if the Wiki would allow HTTP and had no Strict-Transport-Security header.
    (0005843)
    SaT   
    2019-09-21 18:33   
    Now tested on my LineageOS 14.1 phone (1080 x 1920). I have CAcert root certs installed.
    First with FF 68.1.1: Works without client cert dialog, I get to the privacy declaration with 2 clicks.
    Strange: Android browser shows the welcome page, but when I click the link it loads the Wiki, but does not display it. There is still the welcome page displayed.
    I guess this is an Android/LIneageOS issue and no CAcert bug.
    (0005849)
    Ted   
    2019-10-02 19:26   
    So, I take this testreports that this procedure is acceptable. So now, reviews must be done (by the Software Assessors)...
    (0005973)
    egal   
    2021-04-05 17:38   
    review passed when using the code from test-server:
      <div id="siteInfo">
            <a href="//wiki.cacert.org/FAQ/AboutUs"><?=_("About Us")?></a> | <a href="/index.php?id=13"><?=_("Donations")?></a> | <a href="http://wiki.cacert.org/wiki/CAcertIncorporated"><?=_("Association Membership")?></a> |
            <a href="/policy/PrivacyPolicy.html"><?=_("Privacy Policy")?></a> |
            <a href="https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration"><?=_("EU-EEA-DataProtectionDeclaration")?></a> |
            <a href="/index.php?id=51"><?=_("Mission Statement")?></a> | <a href="/index.php?id=11"><?=_("Contact Us")?></a> |
            ©2002-<?=date("Y")?> <?=_("by CAcert")?></div>
    </div>
    (0005978)
    Ted   
    2021-04-11 14:31   
    Rebased bug-1440 to the current release branch.

    Compared commits d328ebd6ad641a9caf4c80208a14d3b8f768edc0 (release) to cc57914d34e703c2abd085757bd91d9d6313e92e. The review is PASSED.

    I noticed that https://wiki.cacert.org/Privacy/EU-EEA-DataProtectionDeclaration/DE (and probably the translations as well) need an update to the new (swiss based) address of CAcert Inc, but this does not prevent the review.
    (0005979)
    Ted   
    2021-04-11 16:08   
    Patch request sent to critical team.
    (0005980)
    jandd   
    2021-04-12 07:41   
    @Ted where can I find a git branch containing commit cc57914d34e703c2abd085757bd91d9d6313e92e ? I would like to discuss how we do branching/releasing correctly and most importantly in a traceable manner in the future. Sending around individual patches may not be the best way to do this.
    (0005981)
    Ted   
    2021-04-12 16:10   
    (Last edited: 2021-04-12 16:11)
    @jandd You can use "git show cc57914d34e703c2abd085757bd91d9d6313e92e" to get details on the commit (for example the branches where this commit is included),
    you can usr "git checkout cc57914d34e703c2abd085757bd91d9d6313e92e" to get the code status after this commit, you can use it as one parameter for "git diff".

    With Git Extensions you can explicitly search for the commit.

    For github.com I did not find a way to easily search for a commit id (without knowing its branch)...

    Does this answer your immediate question?

    As I understand it, the commit id is one reliable mechanism to refer to a specific code state in git.
    I'm very open to discuss alternatives to my current processes, but I guess this case is not the ideal place to do so... Should we try on cacert-devel@lists.cacert.org ?
    (0005982)
    jandd   
    2021-04-13 10:09   
    I just was not aware that searching for commit ids does not work on github. https://github.com/CAcertOrg/cacert-devel/compare/bug-1440 shows the change. Sorry for the noise :-)

    git branch -a --contains cc57914d34e703c2abd085757bd91d9d6313e92e

    showed me the relevant branch.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    813 [Infrastructure] General feature sometimes 2010-03-26 16:00 2021-04-05 18:07
    Reporter: jomat Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: rDNS of IPv6 for mailserver
    Description: Hi!

    I can't receive emails of your server. This is the log:

    Mar 26 16:41:24 myserver postfix/smtpd[32234]: warning: 2001:7b8:3:9c::245: address not listed for hostname www.cacert.org
    Mar 26 16:41:24 myserver postfix/smtpd[32234]: connect from unknown[2001:7b8:3:9c::245]
    Mar 26 16:41:24 myserver postfix/smtpd[32234]: NOQUEUE: reject: RCPT from unknown[2001:7b8:3:9c::245]: 450 4.7.1 Client host rejected: cannot find your hostname, [2001:7b8:3:9c::245]; from=<returns@cacert.org> to=<webmaster@mydomain.com> proto=SMTP helo=<hlin.cacert.org>
    Mar 26 16:41:24 myserver postfix/smtpd[32234]: disconnect from unknown[2001:7b8:3:9c::245]

    Johannes
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1287 [Main CAcert Website] block N/A 2014-06-27 22:35 2021-04-05 18:04
    Reporter: olea Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Inclusion in Fedora of CAcert root cert
    Description: CAcert root certificate can't be included into Fedora due to legal requirements.

    Citing Spot:

    «It seems clear from the lack of response to my query that no one from CAcert that is posting on this ticket is a lawyer.

    »Red Hat has lawyers who review license issues, whether they be on content, code, certificates, or greased ferrets. They've reviewed the CAcert terms and advised us that they do not meet the minimum requirements for Fedora to include them.

    »If there is an actual lawyer on the CAcert side who would be willing to correspond with Red Hat Legal on this issue, please feel free to either have them reach out to me, or send me their contact information and I will be sure to connect them with Red Hat Legal.»

    https://bugzilla.redhat.com/show_bug.cgi?id=474549#c59

    I'm open to help some qualifed one to discuss this with the Fedora/Redhat team.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1423 [Main CAcert Website] website content trivial always 2017-02-16 09:30 2021-04-05 17:31
    Reporter: L10N Platform: Default  
    Assigned To: Ted OS: any  
    Priority: normal OS Version: any  
    Status: needs review Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Link to an Asian Loan Bank
    Description: On the bottom of cacert.org are some logos with links to this organisations as bit, tunix, nlnet, but also open architecture networtk. The open architecture networtk does not exist anymore and the url is redirected to a loan bank institut in Singapore (https://easycredit.com.sg/moneylenders/).

    A. The OAN logo should be removed.
    B. If the bank pays some subsidies to CAcert, the logo should be replaced by their own logo.
    Tags:
    Steps To Reproduce:
    Additional Information:
    System Description Default profile.
    Attached Files: sponsorinfo.php (744 bytes) 2020-08-10 14:17
    http://bugs.cacert.org/file_download.php?file_id=483&type=bug
    Notes
    (0005540)
    Eva   
    2017-03-10 18:18   
    I confirm that the link is pointing to a bank, now, which does not seem to have a specific relation to the original project. Further a quick search of mine did not provide any indication that the project continues to be active, but the search was not in depth.

    Howerver I believe that about adding and removing of sponsors, board should decide. I advise to request for a confirmation that this should be done by board, before such a fix is done. They also should be those who know if it would be correct to remove the link or to let it point to a new destination of the project (or the correct destination of the bank, but I doubt that).
    (0005541)
    Eva   
    2017-03-10 18:43   
    I asked board via public mail how the correct solution would look like:
    a) deleting the complete link, including the logo
    b) fixing the link to a new location
    c) changing the link to directly point to that bank, with correct logo
    (probably not desired)
    (0005657)
    L10N   
    2018-11-06 00:05   
    The solution should be: remove the link from the logo. The logo itself can remain for the moment (until board decided how to deal with this logos).
    (0005658)
    L10N   
    2018-11-06 00:06   
    This problem could be solved together with 0001440. GuKK Devel, can you do that? I am willing to review.
    (0005846)
    Ted   
    2019-09-26 20:43   
    Branch bug-1423 is now merged into the testserver installation and can be tested.

    Test is quite easy: verify that the Open Architecture Logo ir removed from the bottom of the start page https://test.cacert.org/
    Maybe verify that the logo is on no other page.
    (0005847)
    L10N   
    2019-09-26 22:26   
    I tested it:
    1. Opened https://test.cacert.org/
    2. scrolled down
    3. did see 3 logos, but not that one from OpenArchitecture.

    -> OK
    (0005848)
    GuKKDevel   
    2019-09-27 09:28   
    opened test.cacert.org
    got the main page with logo of openarchitecture not shown.

    looks as expected --> OK
    (0005850)
    Ted   
    2019-10-02 19:28   
    Minimum test reports are reached (which should be enough for such a simple change, but don't hesitate to post your report nevertheless!), so I'm putting this in status "needs review"...
    (0005904)
    L10N   
    2020-08-10 12:23   
    I completely forgot that I had already tested it and did it again in code on behalf of whatever:
    - replaced the link from OpenArchitecture
    - added another logo (Cacert) with Link to our wiki page with the smaller sponsors
    /includes/sponsorinfo.php
    (0005905)
    L10N   
    2020-08-10 12:31   
    I completely forgot that I had already tested it and did it again in code on behalf of egal:
    - removed the broken link from OAN
    - ad another Logo (CAcert) with link to the wikipage with other sponsors

    /includes/sponsorinfo.php
    (0005906)
    L10N   
    2020-08-10 12:51   
    Egal asked me to do that (and I didn't remember, that it was already done and I was one of the reviewers). In the attached code is a difference:
    - broken link removed (similar)
    - new CAcert logo added with link to wiki sponsor page
    /includes/sponsorifno.php
    (0005907)
    L10N   
    2020-08-10 14:17   
    Egal asked me to do that (and I didn't remember, that it was already done and I was one of the reviewers). In the attached code is a difference:
    - broken link removed (similar)
    - new CAcert logo added with link to wiki sponsor page
    /includes/sponsorifno.php
    (0005972)
    egal   
    2021-04-05 17:31   
    sponsorinfo on testserver is different to the attached one:

        <img class="sponsorlogo" src="/images/oan.png" alt="[OAN logo]" border="0"></a>
        <a href="http://wiki.cacert.org/FAQ/AboutUs/History#Sponsors" target="_blank"><img class="sponsorlogo" src="/images/cacert4.png" alt="[OAN logo]" border="0"></a>

    To fix:
    OAN-Image shold be removed, too
    Sponsor-Logo for the link to wiki should not be CAcert (maybe completely remove the image and add "more" (or another text) for the link)
    If an Image should be kept, please adjust the alt-text


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1510 [Main CAcert Website] certificate issuing major always 2021-03-12 18:18 2021-03-12 18:18
    Reporter: alkas Platform: Default  
    Assigned To: OS: any  
    Priority: normal OS Version: any  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: see above
    Summary: Browsers Basilisk and Palemoon are unable to produce a valid CSR, at least on Windows 10
    Description: There were updates to the both named browsers yesterday (20210311). After that, no valid CSR could be produced for client certificates using Basilisk or Palemoon browser, under the Windows 10 OS (Insider last Build 21301, dated 20210123). The Seamonkey browser (with no updates) worked OK.
    So I would like recommend to implement the CAcert web update proposal suggested in the problem 1502--5956 ASAP. There is possibility, that after Seamonkey browser will be next updated, it also will lost the ability to produce a valid CSR.
    Tags: Basilisk, browsers, client certificate, issuing, Palemoon
    Steps To Reproduce: Try to create a new client certificate using Palemoon or Basilisk browser. You will end with the well known error message "...use another browser."
    Additional Information:
    System Description Default profile.
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1505 [Main CAcert Website] certificate issuing major always 2021-02-05 17:28 2021-03-08 13:52
    Reporter: alkas Platform: Default  
    Assigned To: Ted OS: any  
    Priority: normal OS Version: any  
    Status: new Product Version:  
    Product Build: Resolution: reopened  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: The main web, the "New Client Certificate" page, refers to the controversial Wiki article
    Description: The page in question is "https://secure.cacert.org/account.php?id=3" with the "Advanced settings" checkbox checked.
    On the page, you can see the "Add SSO ID" checkbox with some text and the link "http://wiki.cacert.org/wiki/SSO". The very first sentence of the referred article is: "This page needs to document SSO or it will be removed!!!!" !
    That Wiki page should describe SSO capability of certificates, as an user can expect.
    Tags: new client certificate, SSO, Wiki
    Steps To Reproduce: Try to create a new client certificate. Find and use the link stated above. Read and evaluate the Wiki article.
    Additional Information:
    System Description Default profile.
    Attached Files:
    Notes
    (0005958)
    alkas   
    2021-02-14 17:36   
    Added 2 proposals for an article about SSO with client certificate: SSO2 and SSO2/CZ. Please read and comment those. AK
    (0005960)
    bdmc   
    2021-03-03 13:08   
    I agree with the assessment of the original "SSO" Wiki page. After reviewing Ales' new version of a page, a very comprehensive description of SSO and its relationship to Certificates, I recommended that the two pages be swapped, preserving the original, but replacing it so that the link in the Advanced Options gives useful information.
    (0005961)
    alkas   
    2021-03-03 18:36   
    Done.
    (0005962)
    Ted   
    2021-03-08 13:51   
    Spam...
    (0005963)
    Ted   
    2021-03-08 13:52   
    Sorry, falscher Case...


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1506 [Main CAcert Website] web of trust feature N/A 2021-02-13 17:17 2021-02-20 04:19
    Reporter: Ted Platform:  
    Assigned To: japh OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Implement some notification for Assurers to destroy CAP forms 7 years after an Assurance
    Description: Since we came to the conclustion that CAP forms should be destroyed 7 years after an Assurance (see <https://wiki.cacert.org/AssuranceHandbook2#What_about_that_CAP_form.3F> and <https://blog.cacert.org/2021/01/destroying-the-cap-form/>), @japh has proposed to implement a notification mechanism to assist Assurers with this.

    Several options seem to be available, including but not limited to:
    - Notification by e-mail
    - Notification on the web page when logging in to the CAcert account

    We should try to collect more detailed requirements and specifications here before starting implementation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005959)
    japh   
    2021-02-20 04:19   
    Proposed changes:

    comments and suggestions welcome!

    1. prepare a standard email template
        - include placeholders for recipient and perhaps the number of expired
            assurances since last login or last reminder
        - should be as succinct / concise as possible
        - e.g.
                <number> of your CAcert assurances have recently past their required,
                7 year retention age.
                In the interests of data security (e.g. GDPR), please destroy any
                CAP forms in your possession which are older than 7 years.
        - inform the assurer that they can change their reminder preference via
            their cacert.org "My Alert Settings" page.
        - the reminder email should NOT contain any personal information
            (except the repient's email (and name?))
        - don't assume english - use `users.language` to automatically select
            appropriate language?
        - reminder text should be available in all supported languages (help needed!)

    2. add a new alert preference flag, e.g. `alerts.cap_expiry`
        - only relevant => visible for assurers, via their "My Alert Settings" page
        - when set, allow CAcert to send a reminder email when assurances made by
            the assurer have "recently become 7 year old" (expired)
        - allows at most e.g. 1 reminder email per month
        - default 'on' for existing members? (otherwise we wouldn't send any reminders)
            OR, set default NULL, send exactly 1 reminder if the flag is NULL and
            then automatically set the flag to "off".
            This would mean that active assurers are informed that they can opt-in
            to getting reminders emails.
            Inactive assurers get a one-off reminder and then automatically return
            to being inactive. i.e.: no need for them to do anything to remain inactive.

    3. write a new script to send reminders, based on existing notification scripts.
        - may be run daily (for 1/28'th of the assurers) or monthly (over all assurers)
        - identify expired assurances by comparing `notary.date`, `notary.when`
            or `notary.expire` against "now - 7 years"
            (which field would be most appropriate?)
        - DO NOT send emails to assurers who received a reminder recently, or
            logged in since the most recent assurance expiry
        - appropriate fields to check?
                users.lastLoginAttempt
                notary.date
                notary.when
                notary.expiry
        - add new date record
                e.g.: users.last_cap_expiry_reminder (date)
        - query to find people to send reminder to:
                e.g.: (sample only)

                    with
                    cutoff as (
                        select
                            users.id,
                            max( users.last_cap_expiry_reminder, users.lastLoginAttempt ) as last_reminder
                        from users
                        group by users.id
                        )
                    select
                        users.email,
                        count(*) as num_expired
                    from
                        users
                        join notary on notary.from = users.id
                        join cutoff on cutoff.id = users.id
                    where
                        -- correct reference date?
                        -- notary.date
                        -- or notary.when
                        -- or notary.expired
                        notary.date > date_sub( cutoff.last_reminder, interval 7 years )
                    group by
                        users.email

    4. add a prominent reminder to login pages
            e.g.:
                https://secure.cacert.org/account.php
                https://secure.cacert.org/account.php?id=36 ("My Alert Settings" page)
                https://secure.cacert.org/wot.php?id=10 ("My Points" page - add new column "Destroy CAP Form (y/n)" ?)
        - use text similar to the reminder email
        - only display reminder if assurances have expired since the last login
            assume that emails have been lost in transit
            or provide positive confirmation that the email received was not sent
            erroneously / maliciously
        - use similar query to above, but only check last login date
        - ignore logins on same day, i.e.: prevent edge case of
            failed/short/interrupted login automatically cancelling the UI reminder.
            Keyword: "de-bounce"
        - I do not envision a requirement for assurers to confirm CAP form destruction


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1507 [Main CAcert Website] web of trust tweak always 2021-02-20 00:59 2021-02-20 00:59
    Reporter: japh Platform: Main CAcert Website  
    Assigned To: japh OS: N/A  
    Priority: normal OS Version: stable  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Replace "should" with "must" in statements regarding deletion of CAP forms after 7 years
    Description: The GDPR requires that all unneccessary documentation be destroyed within a reasonable amount of time.
    To clarify this, all statements regarding the destruction of CAP forms should use an imperitive statement, instead of the current implicit statements. This includes the statements on the CAP forms themselves.

    In other words: "the CAP forms must be destroyed after 7 years" instead of "the CAP forms should (or may) be destroyed after 7 years".

    See also:
    issue 0001506
    https://blog.cacert.org/2021/01/destroying-the-cap-form/
    https://wiki.cacert.org/AssuranceHandbook2#What_about_that_CAP_form
    Tags:
    Steps To Reproduce:
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1482 [Main CAcert Website] General block N/A 2020-06-27 09:30 2021-02-04 08:02
    Reporter: SaT Platform: Default  
    Assigned To: jandd OS: any  
    Priority: urgent OS Version: any  
    Status: fix available Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Limit validity period of new HTTPS certificates to one year
    Description: According to the German article from Heise (1), most browser manufacturers will not accept HTTPS certificates anymore after September 1, 2020, if they have a validity period longer than one year. This article mentions other sources from Apple (2) and Google (3) regarding this decision.

    CAcert should respect this constraint when issueing SSL server certificates. It could be hard-coded, or the user may be able to select if the certificate has a validity period of e.g. 6 months, 1 year or 2 years.

    (1) https://www.heise.de/news/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-1-Jahr-4796599.html
    (2) https://support.apple.com/en-us/HT211025
    (3) https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784
    Tags:
    Steps To Reproduce:
    Additional Information:
    System Description Default profile.
    Attached Files: 0001-Reduce-the-lifetime-of-certificates-to-366-days.patch (1,089 bytes) 2021-01-31 11:35
    http://bugs.cacert.org/file_download.php?file_id=493&type=bug
    Notes
    (0005894)
    L10N   
    2020-06-27 13:11   
    I have read the comments at Heise and come to the following conclusion:
    1. we have to reduce the validity period from September 1 to 398 days (or 396 days - one day margin and every four years leap year)
    2. if feasible, offer the validity period at the same time - otherwise later if possible - selectable:
    As SaT says: 6/12 months (for web), but also 2/3/ev.5 years for other applications.
    See among others the following article at Heise:

    https://www.heise.de/forum/heise-online/Kommentare/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-ein-Jahr/Als-ob-nur-Webserver-Browser-Zertifikate-verwenden/posting-36927599/show/
    (they write about smtp, imap, ftp, ldap, xmpp, stunnel, and others)

    The selection (e.g. radio button) must clearly state "for all purposes, incl. https" or "not suitable for websites/https" next to the duration.
    (0005900)
    Ted   
    2020-08-09 09:25   
    I just had a look at Apple's page cited above. There the Statement is "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS."

    Chromium's statement is "Enforce publicly trusted TLS server certificates ...", which is not as specific as Apple's, but could be interpreted the same way...
    (0005936)
    jandd   
    2021-01-01 05:15   
    This is actually a software development issue because it needs changes to at least the signer client that currently determines the validity period of our certificates.
    (0005942)
    bdmc   
    2021-01-07 22:45   
    jandd, have you created a Git branch for this yet?
    (0005949)
    jandd   
    2021-01-31 11:34   
    I just created https://github.com/CAcertOrg/cacert-devel/pull/23 for this
    (0005950)
    jandd   
    2021-01-31 11:35   
    Patch from the PR attached
    (0005953)
    Ted   
    2021-02-01 21:43   
    I'm afraid that this change has to be approved in the policy group.
    The current CPS explicitly states a validity period of 24 months for assured members. The CPS can only be changed by the policy group, and we (as the software development group) are not allowed to install changes contradicting the CPS!


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1502 [Main CAcert Website] web of trust major always 2021-01-13 16:05 2021-02-03 13:09
    Reporter: alkas Platform: Default  
    Assigned To: OS: any  
    Priority: normal OS Version: any  
    Status: new Product Version: 2015 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Website CAcert.org should be more user friendly
    Description: Many question for Support team concern few problems.
    #1 - a common user is trying to get a client certificate e. g. for e-mail security. When s/he uses browsers like Firefox, Chrome, Edge, Safari etc,, s/he sees the following error message (roughly): No valid CSR received. Try another browser. The Wiki articles exist with solutions of just this. Will it be possible to add a link to the specific Wiki article?

    The most frequent questions to Support:
    . My browser is unable to create and submit CSR, (Wiki: https://wiki.cacert.org/HowTo/ClientCertCreate4)
    - I am unable to renew my certificate (Wiki: https://wiki.cacert.org/FAQ/CertificateRenewal)
    - My system reports the private key needed, where to find it (Wiki: https://wiki.cacert.org/FAQ/MissingPrivateKey)
    - How to convert binary P10 formatted CSR to Base64 format (Wiki: https://wiki.cacert.org/HowTo/CertP10toBase64Coding)
    - Digital signing of documents (e.g. Wiki: https://wiki.cacert.org/AdobeReader and more)
    ...and several other.
    Tags: browser, Wiki, WoT
    Steps To Reproduce: Try to make a client cert via Firefox browser. Look at the error message. The Wiki articles solving this are https://wiki.cacert.org/FAQ/Keygen, and https://wiki.cacert.org/HowTo/ClientCertCreate4
    Additional Information:
    System Description Default profile.
    Attached Files: Screen Shot 2021-02-03 at 13.58.14.png (100,719 bytes) 2021-02-03 13:09
    http://bugs.cacert.org/file_download.php?file_id=494&type=bug
    Notes
    (0005956)
    Golffies   
    2021-02-03 13:09   
    Proposal for a quick but efficient fix.
    It might look like that (consensus with Aleš and Dirk):

    * change as least as possible the text of the UI, in order to avoid to change it in many langages at once

    * make the checkbox "Show advanced options" checked by default (please see attached screenshot)

    * add a default explanation text in the CSR input field (text box) where the CSR has to be pasted

    * such a text might look like that:

      "Please pay attention that Certificate Signing Request is not optional anymore. It is mandatory to copy and paste a CSR into this box. The certificate generation won't work in case you do not provide a CSR. Please clear this text and paste your CSR here."

    * ideally, such text should be in written grey, in the background of the CSR input field, then disapear by itself as soon as the user pastes a CSR or type any character in the input box.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1503 [Main CAcert Website] website content minor sometimes 2021-02-02 17:42 2021-02-02 22:14
    Reporter: alkas Platform: Default  
    Assigned To: OS: any  
    Priority: normal OS Version: any  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: Make an update of a Wiki article.
    Summary: Updating Wiki article ends with "Gateway Timeout" very often
    Description: After finishing an article update/new one, the web waits about 2-3 mins, then it reports the 504 Gateway timeout" error. Despite that, the article is saved. It's only that the 2-3 minutes of fear occurs.
    Tags: Wiki;Gateway timeout;
    Steps To Reproduce: Make an update of a Wiki article.
    Additional Information:
    System Description Default profile.
    Attached Files:
    Notes
    (0005954)
    Ted   
    2021-02-02 19:00   
    I can confirm this behaviour, which I have experienced for some months (? surely since December).

    The changes are obviously saved "immediately", you can see them when opening the page in a different tab while the "saving" tab is still busy.
    (0005955)
    L10N   
    2021-02-02 22:14   
    If I heard correctly from a representative of the Critical Team, the reduced bandwidth is related to other things that are now being processed.
    The problem can be easily worked around:
    1. Save
    2. wait 3-5s
    3. reload page
    In fact, the page hangs just after saving.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1496 [Main CAcert Website] GPG/PGP minor always 2020-10-31 13:48 2021-02-01 21:29
    Reporter: NoSubstitute Platform: Main CAcert Website  
    Assigned To: Ted OS: N/A  
    Priority: normal OS Version: stable  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: CAcert signed GPG key reports Invalid Digest Algorithm
    Description: I'm guessing this could be why.

    gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
    sig% P X 0xD2BB0D0165D0FD58 2019-09-22 [Invalid digest algorithm]
    sig% P 0xD2BB0D0165D0FD58 2020-10-31 [Invalid digest algorithm]

    >gpg --version
    gpg (GnuPG) 2.2.23
    libgcrypt 1.8.6
    Copyright (C) 2020 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Home: C:/Users/Kim/AppData/Roaming/gnupg
    Supported algorithms:
    Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
            CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2
    Tags:
    Steps To Reproduce: Sign a gpg key with the gpg signing feature of cacert.
    Import key to gpg.
    Check the signatures of the key.
    Additional Information: Patch created in https://bugs.cacert.org/view.php?id=1473
    System Description Production version of the CAcert website
    Attached Files: 2020-10-31 142414-CAcert_signed_GPG_key-Invalid_digest_algorithm.png (4,726 bytes) 2020-10-31 13:48
    http://bugs.cacert.org/file_download.php?file_id=486&type=bug
    2020-12-26 165239-CAcert-GPG_test-signature.png (5,896 bytes) 2020-12-26 16:00
    http://bugs.cacert.org/file_download.php?file_id=490&type=bug
    2020-12-26 175400-CAcert-GPG_test-signature-valid.png (9,339 bytes) 2020-12-26 16:54
    http://bugs.cacert.org/file_download.php?file_id=491&type=bug
    Notes
    (0005924)
    gleurent   
    2020-12-15 13:40   
    This is because SHA-1 signatures are unsafe and can be abused in practice: https://sha-mbles.github.io/
    GnuPG has been rejecting them for more than one year.

    I opened a bug report about one year ago (#1473) to warn CA Cert before making the attack public, but nothing has happened since and CA Cert still uses SHA-1 to certify user's PGP keys. This is really a shame.
    (0005925)
    L10N   
    2020-12-20 09:50   
    Yes, this should have been solved by now. How about you two, gleurent and NoSubstitute, take care of this case? For our volunteer software team, there would still be 1000 bugs left...
    (0005926)
    NoSubstitute   
    2020-12-20 20:50   
    I wish I had any coding skills to offer.
    I can help out testing if someone else does the coding part. :-)
    (0005929)
    jandd   
    2020-12-25 08:50   
    @NoSubstitute coding is already done. It just needs to be tested. The patch has been applied on test.cacert.org since May 17th 2020.
    (0005930)
    NoSubstitute   
    2020-12-26 14:09   
    @jandd alright.

    I just registered on the test system, as I didn't have an account there.
    I'm not getting the email verification.
    (0005931)
    jandd   
    2020-12-26 14:42   
    @NoSubstitute thanks for volunteering for tests. The test system sends its mails to a special catchall mailbox and does not send it to the Internet. You can go to the test manager at https://test.cacert.org:14843/mail and log in with your test system credentials. This gives you access to your mails from the test system. There is a function to give you assurance points at https://test.cacert.org:14843/manage-account/admin-increase. You need 100 points to be able to use the GPG function.
    (0005932)
    NoSubstitute   
    2020-12-26 16:00   
    Thank you. That part worked great.
    Managed to add points, and add secondary email, and request GPG signature.
    Grabbed signature, and imported to Kleopatra, and it doesn't complain about invalid algorithm for that signature.

    However, it says "no public key" (see attached image), as the test GPG key doesn't seem to be the same as the one for the PROD system, and I find no reference to where I can grab the TEST GPG key, so I can verify that the signature is fine.

    Also, the email sent contains references to the PROD GPG key, as well as a download URL on the PROD system, but with one unprintable character, as seen below.

    ***
    Hi Kim,

    Your CAcert signed key for kim.nilsson@no-substitute.com is available online at:

    https://www.cacert.org/gpg.php?id=3&cert054

    To help improve the trust of CAcert in general, it's appreciated if you could also sign our key and upload it to a key server. Below is a copy of our primary key details:

    pub 1024D/65D0FD58 2003-07-11 CA Cert Signing Authority (Root CA) <gpg@cacert.org>
    Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58

    Best regards
    CAcert.org Support!
    ***
    (0005933)
    jandd   
    2020-12-26 16:48   
    @NoSubstitute thanks for testing. The test system uses a different gpg key:

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1

    mQGiBE3TAtQRBACuFhUNT3BOIXflZx8ENFN2hf0KHDgReWMW5+hcx8M2C9mueAST
    89x0QxtdWUbsrMFSr3UvDIKjoPFVzV+WT/dez5aADSrnR4OxYPfzcNIWPjm8su/9
    HrH6+ivaH+iOoBOuhYrHthun+1fsqLedhTMNqb+tt6OfzqIuyFkmpm+FqwCg5ECF
    s53E7j6BJuKYLeWqFDqFOH0D/1pnXyBF78YurXcwwA7eSQWoc3f1g5lwyqOWwcLv
    ynI/dcPV5BosEUcqEjaNEyBR0LFRZC7tnw2VLPzr65aLA6SrFqEJ2bEdWkO9vM5g
    8InhmcqTz7Yg/QGnyGT0iNBMG8zg4Ajz20Ty6GE887HMao6qpYKXSbujMRWVjVLn
    VjpgA/9i1gsBjpGwr5rJ67dyDLVkJ5XMEP2ivgAhzKQ/inyLk2N3Nbm0YKWgrZRE
    +pEcZVsLn2jHqd5yu1zVr3Cm44HHaB/A4ew+hRio9vbhJy7cfanfZpAL8Rg8wZbQ
    t4x6zvrs0fXXNuD1BiSucOK4qGZ2vWukggmhAlHu5x5hws5qtbRLQ0FjZXJ0IFRl
    c3QgU2VydmVyIFNpZ25pbmcgQXV0aG9yaXR5IChmb3IgdGVzdGluZyBvbmx5ISEh
    KSA8Z3BnQGNhY2VydC5vcmc+iGYEExECACYFAk3TAtQCGwMFCSWYBgAGCwkIBwMC
    BBUCCAMEFgIDAQIeAQIXgAAKCRBL5zSBd/dRrLxrAJ9kaSLRAlcy9e57yuAAxoZy
    weX20ACg44B1AA26G0OePf9o3YBdUTjPsES5Ag0ETdMC1BAIAI9UEZ2NKbJfVWc+
    CBb5kKhO6qazLDnRsRkMY5WE1PTBP09ieAaQ7cv424e6fKdZxSO5vUQ27tLmcQXo
    ICoREsDuSyESvEPbyBOro5LIY+z52TihqEHLPUN7OxlbPLX81AIKOCgEIUtpcYoX
    MiwXPVO50Swo3PCCQiOQ7ewvkd32ZbSPl50B+/59JiDsQsnx1o+Ls7WkALzQ6w7T
    UxLIVYWuFd9Hg/VOXBH67e81p/O7SDy6pMkDQaA9F22rA5Vv5TBJ2BAKWYfYK47i
    HxtUhw2/WBUzhcw2AGqCnCy9nrYELLAqljnlCdWLyvhuWyUAG87D/1/5qD0+9idh
    jcFWH/MAAwUH/2R7AWSZzbomxTcO5Q7/WxzTDtgUEy7eRbjqFMAusiQlTYDdeHz8
    PfWok6mGhUapJaGnA05hy6aYBIzl4idmQgz39xD47O0qeDWve6YwrDuLYju6JIwv
    YfNiNAOjrZcRW4PCYeJfIK0WHV3+3kkneOX4Mql9QNKWs5W2LReMnHyq6POWasuf
    EgDu0TfqaJTeK3IXKrEJI8G4R4xdHXmZ16Is5T49w09mvMan+TTGczzjWn0aWD3D
    DOlTKK7h+82MSNCTiCi7aNoEyMTfeadSsrbqiaqtF0P/fyBDpGWFj3/A4foAcgtx
    KVt0UHf1Va1g8M+czG3pCOne6dyafZGAe7qITwQYEQIADwUCTdMC1AIbDAUJJZgG
    AAAKCRBL5zSBd/dRrAC5AKDdxp26zp4Km3jItBdeMD/gv8qxMgCgmmH1kizLe5Rk
    yYchS2oleEWXIqM=
    =9tD2
    -----END PGP PUBLIC KEY BLOCK-----

    The mail template is hard coded into the signer client script. The special character in the mail link may be introduced by some encoding issue. The code line in CommModule/client.pl looks sane:

    $body .= "https://www.cacert.org/gpg.php?id=3&cert=$row{id}\n\n";

    but maybe the Content-Transfer-Encoding: quoted-printable in the sendmail function in the same script breaks the content. I will file a separate bug for the mail template issues.
    (0005934)
    NoSubstitute   
    2020-12-26 16:54   
    With the test key imported the signature looks great.
    (0005943)
    jandd   
    2021-01-31 11:17   
    @Ted seems like the patch has been tested successfully. What are the next steps to get it in the production system (I know a site visit because it is code on the signer). Someone needs to merge the code into the proper branch and make a formal delivery to the critical team? Do we have a documentation of how this should be done? Can we add such a documentation to codedocs?
    (0005952)
    Ted   
    2021-02-01 21:29   
    @jandd, those were exactly the questions which discouraged me to continue work on this bug... The signer machine is something like a big black box to me. :-\

    First of all the changes have to be reviewed by a Software Assessor, probably me. Where are these changes archived? I did not find a branch-1496 in the cacert-devel repository on github or git.cacert.org (is the signer sofware part of this repository at all? Only CommModule/server.pl?), is it somewhere in the svn repository? Or where else can I have a look at what was changed?

    The next question is whether the installation on the testserver is sufficiently simmilar to the signer installation. I did not find the signer machine on infradocs, am I looking at the wrong places? Maybe @egal can give some info here? Or to we have to ask Wytze? Without knowing the file layout on the signer it's quite hard to create some auditable install package.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    356 [Main CAcert Website] certificate issuing feature always 2006-11-15 02:03 2021-01-31 11:41
    Reporter: Sourcerer Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: confirmed Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: X509v3 Authority Key Identifier
    Description: Those who need to trust my certificate claims it is required - otherwise their "proxy server" will not accept it
    They say: On a signed certificate, running "openssl x509 -noout -text -in some.cert" somewhere in the output the following shold appear : "
    X509v3 extensions:
                X509v3 Authority Key Identifier: keyid:9F:A9:16:E0:C9:FF:92:93:3B:F6:FE:60:BD:F5:13:49:3D:B2:3B:B1"
    That section is not in my cacert issued server certificate.
    Tags: baseline requirements, certificates, signer
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0000710)
    navy   
    2006-11-15 02:10   
    It appears to be related to the OpenSSL conf item:
    authorityKeyIdentifier = keyid,issuer:always
    (0005951)
    jandd   
    2021-01-31 11:40   
    This is still true in 2021, the extension is required by CAB Forum BR too and should be added to the signer configuration for all end entity certificates.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    996 [Main CAcert Website] certificate issuing minor have not tried 2011-12-02 08:52 2021-01-31 11:23
    Reporter: jandd Platform: Main CAcert Website  
    Assigned To: jandd OS: N/A  
    Priority: normal OS Version: stable  
    Status: confirmed Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Slashes in OU value gets stripped (org cert)
    Description: The original issue was reported to the project "Infrastructure" as http://bugs.cacert.org/view.php?id=995
    Tags: signer, signer_client, webdb
    Steps To Reproduce: see http://bugs.cacert.org/view.php?id=995
    Additional Information: see http://bugs.cacert.org/view.php?id=995
    System Description Production version of the CAcert website
    Attached Files:
    Notes
    (0005947)
    jandd   
    2021-01-31 11:22   
    This issue cannot be fixed with the current signer/web application because both use strings to pass the Subject DN information. The code needs to be reimplemented to support propert DER ASN.1 structures.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1500 [Main CAcert Website] GPG/PGP tweak always 2020-12-26 16:52 2020-12-26 16:53
    Reporter: jandd Platform: Test CAcert Website  
    Assigned To: OS: N/A  
    Priority: normal OS Version: Test  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Issues in mail template for gpg signing response
    Description: The mail that is sent out when a gpg key is signed has a few issues:

    - fingerprints are hard coded but should be based on the actual key used for signing
    - links are always pointing to the production system
    - there are issues with quoted-printable encoding that introduce \r characters on long lines (i.e. in the gpg.php link)
    Tags: GPG, mail, signer_client
    Steps To Reproduce: request a GPG signature on the test system
    look at the mail
    Additional Information: found on the test system
    System Description Test version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    878 [Main CAcert Website] misc major have not tried 2010-10-07 13:36 2020-12-21 19:02
    Reporter: Uli60 Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: replace locations-database-set with new dataset or alternate solution a20090427.2
    Description: Ruling order:

    iii. The Community shall start a project ASAP to migrate the location function that is currently implemented in the critical system, with the objective of replacing the locations database completely, by means of either
      * a) with a completely new fresh freely available open source
           of locations data
    or
      * b) any alternate solution to the location function that does not need
           a local store of locations data within the critical system
    Tags:
    Steps To Reproduce:
    Additional Information: its open to the developers how to solve this
    e.g. outsource the service, replace the locations-database-set
    or whatever solution fits
    Problem confirmed and ruled to be a problem by Arbitration
    https://wiki.cacert.org/Arbitrations/a20090427.2
    Attached Files:
    Notes
    (0005927)
    jandd   
    2020-12-21 19:02   
    users could enter their location with assistance from the nominatim API of OpenStreetMap https://wiki.openstreetmap.org/wiki/Nominatim

    We would store the geo coordinates and could use queries to find assurers within proximity of a specific location similar to what is described in https://mariadb.com/de/resources/blog/mariadb-server-10-2-json-geojson-gis/


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1077 [CATS.cacert.org] User Interface minor always 2012-06-25 21:04 2020-12-09 11:36
    Reporter: Lemming Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: (PHP) Fatal Error in includes/graph_bib/phplot.php
    Description: The server cant create an image by clicking 'show as line chart' or 'show as bar chart' for watching your progress in challenges because of undefined functions.

    Fatal error: Call to undefined function ImageCreate() in /home/cats/public_html/includes/graph_bib/phplot.php on line 233


    Fatal error: Call to undefined function ImageDestroy() in /home/cats/public_html/includes/graph_bib/phplot.php on line 257
    Tags:
    Steps To Reproduce: * Login in CATS
    * Click Progress
    * Click 'show progress'
    * Click 'show as line chart' or 'show as bar chart'
    * Look at the sourcecode of this page and follow the URL of the <img>-tag with 'includes/graph_bib/curve.php..'
    Additional Information:
    Attached Files:
    Notes
    (0005923)
    jachhunter777   
    2020-12-09 11:36   
    Fatal error: Call to undefined function ImageDestroy(https://goo.gl/2DqXGj) in /home/cats/public_html/includes/graph_bib/phplot.php on line 257

    * Click Progress
    * Click 'show progress'
    * Click 'show as line chart' or 'show as bar chart'
    * Look at the sourcecode of this page and follow the URL of the <img>-tag with 'includes/graph_bib/curve.php..'


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    973 [CATS.cacert.org] Translation: Content minor N/A 2011-08-22 21:19 2020-12-03 22:28
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Translation of Assurer Challenge to French
    Description: This is to keep track of the current status of the translation.
    Tags: CATS, Translation
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0002319)
    Ted   
    2011-08-22 22:11   
    Current status:

    About 20% completed
    (0003259)
    Lordguy   
    2012-10-17 20:54   
    (Last edited: 2012-10-17 21:53)
    traduction à 100% du test Org assurer

    (0004450)
    L10N   
    2013-11-09 23:25   
    Qu'est-ce qui manque encore pour terminer?
    Was fehlt noch, bis es fertig ist?
    What is still missing to finish?
    (0005193)
    L10N   
    2014-12-18 21:36   
    Qu'est-ce qui manque encore pour terminer?
    Was fehlt noch, bis es fertig ist?
    What is still missing to finish?
    (0005551)
    L10N   
    2017-06-30 20:25   
    Qu'est-ce qui manque encore pour terminer?
    Was fehlt noch, bis es fertig ist?
    What is still missing to finish?
    (0005578)
    bergerc   
    2018-03-18 21:49   
    I modified some translations (french). What are the next tasks ?
    (0005582)
    jandd   
    2018-04-06 09:26   
    https://translations.cacert.org/fr/cats/ seems to be complete now
    (0005610)
    Ted   
    2018-09-04 07:36   
    I don't know if we are talking about the same thing here.

    This is the case to translate the test questions, not the user interface. The test questions are not (and will probably never be) on https://translations.cacert.org!

    At the moment translating and reviewing the test questions is a bit complicated, see https://wiki.cacert.org/Brain/Study/EducationTraining/CATSTranslation...

    I'll try to create HTML files for a review of the french test questions in the next few days and publish a link here.
    (0005613)
    Ted   
    2018-10-21 18:50   
    The current state of the french translation of the Assurer Challenge can now be found at https://cats.test.cacert.org:14843/fr.html

    This is the CATS test system, be prepared that your browser will probably complain about an invalid certificate.
    (0005724)
    L10N   
    2019-01-02 20:24   
    Hi Ted,
    all 96 questions/answers are now translated, that means 100% of the Assurer Challenge.
    Review is needed.
    (0005725)
    L10N   
    2019-01-02 20:27   
    In 2012, Lordguy wrote (https://bugs.cacert.org/view.php?id=973#c3259), that the OrgA Test is 100% translated. Is OrgA Test in production or is a review needed?
    (0005730)
    Ted   
    2019-01-03 21:20   
    An updated version of the french review sheet is available at https://cats.test.cacert.org:14843/fr.html (for the time of the review). The first thing i noticed was that question [3] and the answers to [4] are still english? >:-)

    OrgA Test is not installed on the production CATS, so I'd take this as a hint that it is currently not in use.
    (0005922)
    L10N   
    2020-12-03 22:28   
    Ted, would you mind to update https://cats.test.cacert.org:14843/fr.html please?

    I went trough the document and looked out for all English remainings (just "true" and "false" remains). As we have three French speaking people in the board, I have some hope, the review will be done soon after.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1469 [Main CAcert Website] misc major always 2019-10-11 10:38 2020-11-23 09:33
    Reporter: mcgiwer Platform: Main CAcert Website  
    Assigned To: Ted OS: Linux (Debian based)  
    Priority: normal OS Version: stable  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: see: Steps to reproduce
    Summary: CACert.org certificate issues (with valid root certificates installed)
    Description: 1. when I attempt to open cacert.org website pages, I recieve a following error every time:

    > Secure Connection Failed
    >
    > An error occurred during a connection to cats.cacert.org. SSL peer was unable to negotiate an acceptable set of security parameters.
    >
    > Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
    >
    > The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    > Please contact the website owners to inform them of this problem."

    ===========

    2. when I'm attempting to issue a client certificate, I recieve a following error:

    > I didn't receive a valid Certificate Request, please try a different browser.

    Please repeair above error's ASAP. Thanks
    Tags:
    Steps To Reproduce: Enter the website
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    Notes
    (0005851)
    Ted   
    2019-10-14 08:09   
    (Last edited: 2019-10-14 08:10)
    Usually this is caused by the fact that the CAcert root certificates are not installed in the browser, see http://wiki.cacert.org/FAQ/Mess

    If you have CAcert root certificates installed (and trusted), there are still occasional problems that the old version of the root certificate is somewhere in traffic, which still used MD5 for self-signature, see http://wiki.cacert.org/HowTo/ReplaceCAcertRootCertificate

    If both of these possible causes are eliminated we'd need to know which browser you are using.

    (0005852)
    mcgiwer   
    2019-10-14 09:03   
    I use Firefox. Maybe it would be a good idea to make the main site load without SSL as default. This would partially solve the problem.

    On the main website should be a information about need of installing the Root certificates to enter the SSL or install a SSL certificate with donsn't require doing that
    (0005919)
    mcgiwer   
    2020-11-23 09:30   
    I have removed the old and installed new root certificates of CA cert and independant from it:

    1. when I attempt to open cacert.org website pages, I recieve a following error every time:

    > Secure Connection Failed
    >
    > An error occurred during a connection to cats.cacert.org. SSL peer was unable to negotiate an acceptable set of security parameters.
    >
    > Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
    >
    > The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    > Please contact the website owners to inform them of this problem."

    ===========

    2. when I'm attempting to issue a client certificate, I recieve a following error:

    > I didn't receive a valid Certificate Request, please try a different browser.

    Please repeair above error's ASAP. Thanks


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1455 [Main CAcert Website] GPG/PGP minor always 2019-01-09 01:10 2020-10-31 13:25
    Reporter: colincogle Platform: Default  
    Assigned To: OS: any  
    Priority: normal OS Version: any  
    Status: new Product Version: 2015 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: CAcert cannot recognize or sign GPG/PGP keys with EdDSA public keys
    Description: I finally created a new keypair with the newest version of GnuPG, and I used the EdDSA algorithm. However, CAcert cannot parse it. While it uploaded successfully, it's been stuck on "pending" for a while. Additionally, the expiration date shows as "0000-00-00 00:00:00."
    Tags:
    Steps To Reproduce: 1. Create a new EdDSA key with the command: gpg --full-generate-key
    2. Upload it to CAcert in hopes of getting it signed.
    Additional Information: I have not tested this with ECDSA, ECDH, or ElGamal keys. However, I'd wager that support for those newer types are also lacking.

    I tagged this as minor/normal but as the new version of GnuPG trickles out, this may turn into a major/high issue.
    System Description Default profile.
    Attached Files: 2020-10-31 142414-CAcert_signed_GPG_key-Invalid_digest_algorithm.png (4,726 bytes) 2020-10-31 13:25
    http://bugs.cacert.org/file_download.php?file_id=485&type=bug
    Notes
    (0005731)
    Ted   
    2019-01-09 15:48   
    It's just a wild guess, but I assume that the version of GPG which is installed on the signer is a bit too old to know the new algorithms, does this sound plausible?
    (0005732)
    colincogle   
    2019-01-09 17:39   
    That's probably it. Support for ECDH, ECDSA, and EdDSA keys were added in GnuPG 2.1.
    (0005856)
    SaT   
    2019-12-03 07:51   
    I stumbled upon this bug today, too. A fresh GPG key with Elliptic Curves cannot be signed, it is pending forever. A RSA key does work.
    (0005914)
    NoSubstitute   
    2020-10-31 13:25   
    Signing "RSA key does work."

    I wonder if that is still true, though.
    I just signed my RSA key today, and when checking the signature in GPGWin it comes back as "Invalid digest Algorithm" where it should say who signed it.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1461 [Blog] text always 2019-04-26 20:53 2020-09-16 21:25
    Reporter: L10N Platform: Iiggg  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Hatchek, etc. not displayed
    Description: zkouškou" is not displayed. Letters with hatchek or a cercle about an u are replaced with "?".
    Tags: blog, unicode
    Steps To Reproduce: Put some czech text in the text window. Press the preview button or the publish button. Accents will be replaced by "?".
    Additional Information: The example shown in the uploaded pictures was written in LibreOffice, saved as png-picture and published as picture, not as text.
    Attached Files: CAcertCATSCzech.png (223,664 bytes) 2019-04-26 20:53
    http://bugs.cacert.org/file_download.php?file_id=466&type=bug
    Screenshot_2020-08-08 Wikipedie, otevřená encyklopedie.png (96,861 bytes) 2020-08-07 22:11
    http://bugs.cacert.org/file_download.php?file_id=476&type=bug
    Screenshot_2020-08-08 Add New Post ‹ CAcert Blog — WordPress.png (73,037 bytes) 2020-08-07 22:11
    http://bugs.cacert.org/file_download.php?file_id=477&type=bug
    Screenshot_2020-08-08 lánek týdne.png (67,158 bytes) 2020-08-07 22:11
    http://bugs.cacert.org/file_download.php?file_id=478&type=bug
    Notes
    (0005883)
    jandd   
    2020-05-12 20:00   
    An idea: maybe the charset of some database tables is not utf8mb4. The database has been migrated from older versions of Wordpress. Needs to be checked by an admin (Dirk or me) we should also check whether wordpress sends the correct encoding in the Content-Type header.
    (0005885)
    egal   
    2020-05-16 20:35   
    The "older" tables are "latin1_swedish_ci":

    | wp_commentmeta | utf8mb4_unicode_ci |
    | wp_postmeta | latin1_swedish_ci |
    | wp_terms | latin1_swedish_ci |
    | wp_term_relationships | utf8mb4_unicode_ci |
    | wp_usermeta | latin1_swedish_ci |
    | wp_users | latin1_swedish_ci |
    | wp_termmeta | utf8mb4_unicode_ci |
    | wp_comments | latin1_swedish_ci |
    | wp_posts | latin1_swedish_ci |
    | wp_term_taxonomy | latin1_swedish_ci |
    | wp_links | latin1_swedish_ci |
    | wp_options | latin1_swedish_ci |

    Wordpress itself uses utf-8:
    define('DB_CHARSET', 'utf8');
    define('DB_COLLATE', '');

    as wordpress was updated in april 2020, please test again ...
    (0005899)
    L10N   
    2020-08-07 22:11   
    I tested with an article of the main page of cs.wikipedia.org (pic 1 Wikipedia) and copy pasted it into the blog (pic 2 Ad New Post), then clicked on preview (pic 3 lánek). The result is as follows: In Wikipedia all accents/hatcheks are displayed. In the "new post section", they are displayed as well - only in the title not. In the preview are still "?".

    You can check in the 2nd line "Arpodvocu" (u with circle on it -> ?), "peceneszke" (c and e with hatchek -> ? [s and z with hatchek is displayed]),


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1493 [Main CAcert Website] website content minor always 2020-08-07 22:31 2020-09-16 21:19
    Reporter: L10N Platform:  
    Assigned To: OS:  
    Priority: high OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Replace Paypal button with IBAN bank account GRKB
    Description: Instead of the Paypal buttons should be shown:
    CAcert Inc bank account Europe (GRKB) CH02 0077 4010 3947 4420 0
    CAcert Inc bank account Australia (Westpac) (already displayed)
    -------
    Bankenclearing: 774
    BIC (SWIFT): GRKBCH2270A

    Grisons Cantonal Bank, Coire, Switzerland
    Graubündner Kantonalbank, Chur, Schweiz
    Banque Cantonale des Grisons, Coire, Suisse
    Banca Cantonal Grigione, Coira, Svizzera
    Banca Chantunela Grischuna, Cuira, Svizra
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files: 0.php (5,507 bytes) 2020-08-10 12:15
    http://bugs.cacert.org/file_download.php?file_id=479&type=bug
    21.php (2,147 bytes) 2020-08-10 12:15
    http://bugs.cacert.org/file_download.php?file_id=480&type=bug
    13.php (2,381 bytes) 2020-08-10 12:15
    http://bugs.cacert.org/file_download.php?file_id=481&type=bug
    5.php (2,864 bytes) 2020-08-10 12:15
    http://bugs.cacert.org/file_download.php?file_id=482&type=bug
    Notes
    (0005901)
    L10N   
    2020-08-10 11:31   
    28.7.2020:
    > Ich habe noch nie an der Homepage herumgeschraubt. Aber den Paypal-Knopf
    > durch eine IBAN-Nummer zu ersetzen, das traue ich mir noch zu. Könntest
    > du mir sagen, wo ich das finde? Vielleicht in einem GIT, wo ich dann
    > eine Kopie erstelle, die die hohen Herren dann überprüfen können?
    (0005902)
    L10N   
    2020-08-10 11:32   
    29.7.2020:
    So einfach ist das nicht ... ;-)

    Du braucht eine Bug-Nummer dazu (Mantis) ... und lieferst idealerweise
    direkt auch den Patch dazu mit.

    Die Sourcen kannst du dir ohne git direkt von www.cacert.org runterladen
    (muesste jetzt mal schauen, wo genau der Link ist ... aber irgendwo
    "unten rechts").

    Ted und ich koennen dann den entsprechenden Review machen, damit Ted das
    dann an Critical (mich) schicken kann, damit das dann auch auf
    www.cacert.org verewigt wird.

    (Wenn du schonmal dabei bist: Wirf bitte bei den Sponsoren das Open
    Architecture Network raus (das gibt es nicht mehr) und bau dort einen
    Link auf eine Sponsorenseite im wiki ein, wo wir dann weitere (kleinere)
    Sponsoren wie abilit.eu (von denen kam der "Luxemburg"-server) oder auch
    Einzelpersonen nennen koennen.

    machs guat

    PS: Die genaue Datei muesste ich auch nachschauen ... wenn du aber die
    sourcen hast, kannst du da mit "grep" nach suchen ... ;-)
    (0005903)
    L10N   
    2020-08-10 12:15   
    I replaced the paypal button code by the IBAN with the same coding as was given the information about the Westpac bank account:
    /pages/index/0.php
    /pages/index/13.php
    /pages/index/21.php

    Furthermore, I removed the paypal button code (it was there to pay for password reset, the link to the wiki remains):
    /pages/index/5.php
    (I am not shure if this is another bug, but it is an issue for long time.)
    (0005910)
    L10N   
    2020-09-16 21:19   
    Following https://wiki.cacert.org/Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/2020-09-03#Minutes

    "We [the committee] will show on our homepage, at the top the EU bank account, lower the AU bank account, and Paypal as a third option."

    So, the code has to be rewritten again. Sorry, no testing needed at the moment.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1464 [Main CAcert Website] certificate issuing minor N/A 2019-08-04 16:54 2020-06-27 14:22
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Support ACME protocol for issuing certificates
    Description: Request by CAcert board. First step is to evaluate the amount of work needed, then the decision should be made whether to implement the protocol or to postpone it.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005821)
    Ted   
    2019-08-04 17:00   
    Start for research is Wikipedia https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment, the corresponding RFC seems to be https://tools.ietf.org/html/rfc8555
    (0005822)
    Ted   
    2019-08-12 10:43   
    I have given the RFC a first cursorry reading. My findings are recorded in the WiKi at https://wiki.cacert.org/Software/Projects/Bug%231464%3A%20ACME%20protocol

    Feel free to add your own findings there.

    As a (preliminary!) summary, I guess that there will be some work to do, implementing extensions to the CAcert website as well as implementing the protocol interface itself, probably several days of work, but that the job itself will not be impossible.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    775 [Main CAcert Website] certificate issuing minor have not tried 2009-09-05 10:25 2020-06-27 14:15
    Reporter: Bas van den Dikkenberg Platform:  
    Assigned To: egal OS:  
    Priority: normal OS Version:  
    Status: needs review Product Version: 2009 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2015 Q1  
    Reviewed by: Ted
    Test Instructions:
    Summary: A org ceritficate is only valild one year
    Description: When i make an Organisational client certficate its only valid one year this must be two as far i can find in the policy. The policy doesn't specify that its not two year valid.

     
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0001476)
    homer   
    2009-09-06 12:12   
    Hello Bas,

    I guess you are right
    http://www.cacert.org/index.php?id=19

    Best regards,

    Guillaume
    (0001477)
    homer   
    2009-09-11 20:14   
    Hello Bas,

    I confirm the cert lifetime is one year what ever you choose codesigning or not (class 1 or 3 root).

    Best regards,

    Guillaume
    (0001478)
    homer   
    2009-09-11 20:15   
    confirmed Sept 11th 2009
    (0002085)
    Uli60   
    2011-07-05 02:17   
    (Last edited: 2011-07-05 11:49)
    added note regarding certs issued under Organisation Assurance program are valid for 12 months under
    https://wiki.cacert.org/FAQ/Privileges
    redirection fix is handled under
    https://bugs.cacert.org/view.php?id=897

    to update the text, you have to update
    https://wiki.cacert.org/FAQ/Privileges

    http://www.cacert.org/policy/CertificationPracticeStatement.php
    lists Organisation SubRoot -> Expiry of Certificates -> 24 months
    for the new root and
    Assured Members -> Expiry of Certificates -> 24 months
    for the "old" root

    http://www.cacert.org/policy/OrganisationAssurancePolicy.php
    refers to CPS about cert issuing

    affected source code is starting in:
    https://cacert1.it-sls.de/account.php?id=16 (client certs)
    https://cacert1.it-sls.de/account.php?id=20 (server certs)

    probably one of the CommModule scripts needs to be reviewed
    eg client.pl (sub calculateDays($)) l.440 ff. counts days based on received assurance points. if >= 50 then 730 days otherwise 180 days.
    Does receive organisation users receive assurance points over 50 ?

    client.pl l.835 (sub HandleCerts($$)) displays correct calculation:
          my $days=$org?($server?(365*2):365):calculateDays($row{"memid"});
    if org (is yes), if server cert then calculate #days = 2 x 365 days = 730
    sub calculateDays() will not be called here

    (0004603)
    INOPIAE   
    2014-02-25 07:39   
    I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-775
    (0005257)
    BenBE   
    2015-01-21 21:51   
    Patch applied to testserver.

    The testserver always uses 30 days instead of 730 days.
    (0005260)
    INOPIAE   
    2015-01-21 22:24   
    I just create a new org client cert. Duration is 2 years => ok
    I just create a new org server cert. Duration is 2 years => ok
    =>ok
    (0005261)
    Uli60   
    2015-01-21 22:30   
    renewed Org.Server cert => now valid for 2 years
    renewed Org.Client cert => now valid for 2 years
    (0005816)
    Ted   
    2019-07-17 07:42   
    There has been an explicit request on the support mailing list for longer lasting org certificates, so I'm trying to revive this case...
    (0005817)
    Ted   
    2019-07-21 21:15   
    The changes checked in by INOPIAE in his commit 900a6f2b9ea899bcf66cbc47848d6a8057bcaca0
     five years ago are quite minimal.

    I guess the easiest way to get it compatible to the current code is to manually re-do those changes on the current release branch...
    (0005818)
    Ted   
    2019-07-21 21:25   
    Note that Org-server certificates already are valid for 2 years on the production system, only client certs are reduced to 1 year validity...
    (0005819)
    Ted   
    2019-07-21 21:57   
    Hmm, indeed rebasing the existing bug-775 worked fine, so I pushed the branch to the GitHub-repository. git.cacert.org is not (yet) updated.
    (0005820)
    Ted   
    2019-07-26 21:07   
    bug-775 is now merged into test-1442 and installed on the (old) testserver, so it may once more be tested...
    (0005823)
    Golffies   
    2019-08-22 15:20   
    [Second attempt to submit the test report; previous drafted report got lost when submitting it, thanks to an "invalid authentication token" issue; some inaccuracies may have then been added to the present report, when re-writing it yet another time.]

    Test report


    1. Tested URL: https://test.cacert.org


    2. Pre-requisites - Set #1:

    2.1. having user's e-mail address been verified;
    2.2. having been assured by other Assurers, up to 100 points;
    2.3. being an Assurer, i.e having passed CATS;
    2.4. being an Organisation Assurer.

    All pre-requisites fulfilled by tuning existing user account registered on https://test.cacert.org through the Test Manager available at https://mgr.test.cacert.org:14843.


    3. Pre-requisites - Set 0000002:

    3.1. Having registered an Organisation;
    3.2. Having defined yourself as an Administrator for that Organisation;
    3.3. Having defined a Domain for that Organisation;

    All prerequisites fulfilled by registering the related information on https://test.cacert.org.


    4. Organisation Server Certificate - Steps which have been completed:

    4.1. off-line preparing a CSR certificate with openssl;
    4.2. requesting a new certificate under the Org Server Certs menu;
    4.3. pasting the CSR in PEM format to the corresponding field;
    4.4. choosing Class Root 1 as signing certificate;
    4.5. choosing SHA512 as signature algorithm;
    4.6. clicking on Submit button;
    4.7. reviewing and confirming Organisation details on next screen;
    4.8. getting a PEM on-screen copy of the Org Server generated certificate;
    4.9. off-line reading the validity period of the certificate with openssl;
    4.10. displaying the list of existing Server certificates under the Org Server Certs menu;
    4.11. on-line reading the validity period of the considered certificate;
    4.12. comparing the on-line (test.cacert.org) expiry dates with the off-line (openssl) expiry dates.

    Results are given at the end of the report.


    5. Organisation Client Certificate - steps completed:

    5.1. off-line preparing a CSR certificate with openssl;
    5.2. requesting a new certificate under the Org Client Certs menu;
    5.3. entering required personal details;
    5.4. keeping Class Root 3 (default) as signing certificate;
    5.5. keeping SHA256 (default) as signature algorithm;
    5.6. clicking on Next button;
    5.7. pasting the same as previously CSR in PEM format to the corresponding field;
    5.8. clicking on Submit CSR button;
    5.9. getting a PEM on-screen copy of the Org Client generated certificate;
    5.10. off-line reading the validity period of the certificate with openssl;
    5.11. displaying the list of existing Client certificates under the Org Client Certs menu;
    5.12. on-line reading the validity period of the considered certificate;
    5.13. comparing the on-line (test.cacert.org) expiry dates with the off-line (openssl) expiry dates.

    Results are given at the end of the report.


    6. Observed results

    6.1. Org Server Cert result to 0000004.9: [PASSED]

            Validity
                Not Before: Aug 22 09:54:00 2019 GMT
                Not After : Aug 21 09:54:00 2021 GMT

    6.2. Org Server Cert result to 0000004.11: [PASSED]

            Expires
            2021-08-21 09:54:00

    6.3. Org Server Cert result to 0000004.12: [PASSED]

            Not After : Aug 21 09:54:00 2021 GMT
            =
            2021-08-21 09:54:00


    6.4 Org Client Cert result to 0000005.10: [PASSED]

            Validity
                Not Before: Aug 22 11:26:19 2019 GMT
                Not After : Aug 21 11:26:19 2021 GMT

    6.5 Org Client Cert result to 0000005.12: [PASSED]

            Expires
            2021-08-21 11:26:19

    6.6 Org Client Cert result to 0000005.13: [PASSED]

            Aug 21 11:26:19 2021 GMT
            =
            2021-08-21 11:26:19


    7.1. Copy of the Org Server generated certificate:

    7.1.1. Certificate in text format

    $ openssl x509 -text -noout -in 2019-08-22_OrgaServCert.pem

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 20697 (0x50d9)
        Signature Algorithm: sha512WithRSAEncryption
            Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root
            Validity
                Not Before: Aug 22 09:54:00 2019 GMT
                Not After : Aug 21 09:54:00 2021 GMT
            Subject: C=FR, ST=Ile de France, L=Paris, O=Ellis BBS, CN=ellis.siteparc.fr
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:96:67:e1:d1:6a:69:05:c8:f5:ea:2f:a9:0d:7a:
                        21:f6:57:2d:24:15:aa:2f:2c:c5:85:79:fe:6f:5a:
                        9a:8c:e6:d4:65:2e:63:b5:ac:39:19:56:53:f9:4d:
                        56:56:80:db:91:5a:d6:de:9d:80:63:e1:00:20:e8:
                        9c:3c:07:5b:1d:67:31:76:f4:06:bb:74:78:d5:57:
                        0e:c9:3c:73:4c:0c:ac:32:8b:0b:8b:20:9b:d5:6e:
                        76:e9:cb:7d:df:5a:07:91:d2:aa:9b:da:59:62:87:
                        d2:b1:fb:f9:42:54:c0:4c:b5:53:5e:2a:85:5a:c2:
                        00:f7:d6:11:db:62:6c:b6:00:92:36:d0:0e:37:43:
                        87:48:04:9f:f9:80:c6:9b:37:e5:6c:6f:e9:c4:5a:
                        3a:1e:2e:be:8c:8d:2d:ad:e6:4c:35:e2:eb:87:e3:
                        b7:50:f5:2d:71:a3:ae:f6:36:7e:53:72:d9:aa:45:
                        0d:4e:eb:4e:cb:ee:c8:9c:19:f8:7f:e9:13:6b:54:
                        df:8f:8e:8b:57:51:a3:c7:26:24:e1:6f:90:dd:e8:
                        3a:f1:a9:01:25:a4:f4:05:3c:73:07:dd:3d:6f:b6:
                        ec:27:a2:f0:c8:27:7a:9a:96:e3:cc:35:1c:1a:df:
                        45:6b:fd:4b:27:05:b1:74:49:b4:b4:f4:43:db:2c:
                        e0:07
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment, Key Agreement
                X509v3 Extended Key Usage:
                    TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
                Authority Information Access:
                    OCSP - URI:http://ocsp.cacert.org/

                X509v3 CRL Distribution Points:

                    Full Name:
                      URI:http://crl.cacert.org/revoke.crl

                X509v3 Subject Alternative Name:
                    DNS:ellis.siteparc.fr, othername:<unsupported>
        Signature Algorithm: sha512WithRSAEncryption
             b2:e5:64:26:21:82:f0:1c:4d:87:3c:b3:fe:27:91:6d:8b:66:
             4a:a5:88:ca:65:20:29:14:38:82:ea:cf:e8:94:2f:77:00:4e:
             f5:cb:d7:9f:1b:b7:f1:a9:3b:f4:81:35:7a:05:87:9d:c5:05:
             97:04:a2:16:f6:08:aa:be:6b:4b:61:9b:c5:93:4e:d0:ca:f8:
             bd:95:ab:43:59:13:d9:ff:b3:89:b5:8c:e3:bb:11:20:82:e4:
             e7:c8:02:66:53:88:08:e2:33:9c:3b:52:f0:ec:2e:b2:a4:fc:
             7f:cf:9b:9e:28:8a:2c:41:1a:74:1a:ba:06:32:1f:42:0a:01:
             60:a4:08:7f:71:ec:e0:b3:9a:33:2f:3d:6d:93:2d:01:e5:65:
             b4:07:e8:f7:dc:8b:96:43:c4:ff:17:16:38:79:ca:00:d6:0b:
             99:01:f8:ea:29:e7:7c:e3:e1:42:eb:d5:e5:3e:fd:76:fa:6b:
             f3:f1:fb:08:ab:58:56:fa:4b:e8:dc:ec:64:eb:4e:2b:fc:e2:
             0b:a0:85:56:f9:07:02:a4:64:1e:25:35:c2:35:b4:9a:e1:77:
             77:6e:28:4f:ac:a5:c0:7d:89:a6:4f:0a:4f:3c:b0:ab:c1:a1:
             52:da:2b:26:c2:bb:a8:15:09:c9:97:06:03:d8:87:98:ca:25:
             e5:90:cf:86:73:0a:79:f0:98:12:40:18:be:8d:44:f1:c6:f4:
             7c:79:d3:b0:67:5d:20:a8:35:c3:52:81:83:12:e0:62:90:db:
             a4:19:e1:34:42:7e:ed:9b:7a:cb:91:94:e6:16:be:b6:15:28:
             0f:c8:72:cd:fa:1a:b4:df:82:d5:4e:55:8f:d2:78:69:de:b5:
             f1:5f:87:3d:b3:d7:db:aa:09:4d:c7:02:5a:18:ac:ae:d0:86:
             3e:e3:56:a1:b5:6e:0b:d9:62:9e:a4:8f:fd:c1:65:1b:db:3d:
             f6:2c:92:ed:30:13:8f:31:d8:c0:92:6f:a9:c9:5d:ee:ab:ff:
             f3:d1:39:f8:67:74:45:f4:a9:18:26:20:ce:25:ce:1f:b8:67:
             9c:67:b8:16:f3:b1:0e:b5:cf:8b:96:88:12:2d:4b:5c:6e:61:
             00:d3:67:34:2d:08:51:a2:3f:5a:18:fe:e9:e7:9c:e4:b9:0e:
             07:1f:cc:82:e3:79:d7:b5:8d:cf:5c:dc:2e:ee:f0:48:8e:8f:
             3c:1c:65:da:9f:76:85:19:2a:5c:20:2b:59:d5:6c:9b:68:8c:
             b5:e3:ac:a6:91:95:df:92:fa:bc:72:61:ce:5f:a9:7a:a2:6a:
             66:ee:07:03:2d:61:fe:9b:64:88:46:dc:bd:9d:07:7e:22:cf:
             e5:90:bf:60:68:d8:5f:55

    7.1.2. Certificate in PEM format

    -----BEGIN CERTIFICATE-----
    MIIFaDCCA1CgAwIBAgICUNkwDQYJKoZIhvcNAQENBQAwgYcxCzAJBgNVBAYTAkFV
    MRgwFgYDVQQIEw9OZXcgU291dGggV2FsZXMxGjAYBgNVBAoTEUNBY2VydCBUZXN0
    c2VydmVyMSEwHwYDVQQLExhodHRwOi8vY2FjZXJ0MS5pdC1zbHMuZGUxHzAdBgNV
    BAMTFkNBY2VydCBUZXN0c2VydmVyIFJvb3QwHhcNMTkwODIyMDk1NDAwWhcNMjEw
    ODIxMDk1NDAwWjBlMQswCQYDVQQGEwJGUjEWMBQGA1UECAwNSWxlIGRlIEZyYW5j
    ZTEOMAwGA1UEBwwFUGFyaXMxEjAQBgNVBAoMCUVsbGlzIEJCUzEaMBgGA1UEAwwR
    ZWxsaXMuc2l0ZXBhcmMuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
    AQCWZ+HRamkFyPXqL6kNeiH2Vy0kFaovLMWFef5vWpqM5tRlLmO1rDkZVlP5TVZW
    gNuRWtbenYBj4QAg6Jw8B1sdZzF29Aa7dHjVVw7JPHNMDKwyiwuLIJvVbnbpy33f
    WgeR0qqb2llih9Kx+/lCVMBMtVNeKoVawgD31hHbYmy2AJI20A43Q4dIBJ/5gMab
    N+Vsb+nEWjoeLr6MjS2t5kw14uuH47dQ9S1xo672Nn5TctmqRQ1O607L7sicGfh/
    6RNrVN+PjotXUaPHJiThb5Dd6DrxqQElpPQFPHMH3T1vtuwnovDIJ3qaluPMNRwa
    30Vr/UsnBbF0SbS09EPbLOAHAgMBAAGjgf4wgfswDAYDVR0TAQH/BAIwADAOBgNV
    HQ8BAf8EBAMCA6gwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUFBwMBBglghkgB
    hvhCBAEGCisGAQQBgjcKAwMwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdo
    dHRwOi8vb2NzcC5jYWNlcnQub3JnLzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8v
    Y3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDA9BgNVHREENjA0ghFlbGxpcy5zaXRl
    cGFyYy5mcqAfBggrBgEFBQcIBaATDBFlbGxpcy5zaXRlcGFyYy5mcjANBgkqhkiG
    9w0BAQ0FAAOCAgEAsuVkJiGC8BxNhzyz/ieRbYtmSqWIymUgKRQ4gurP6JQvdwBO
    9cvXnxu38ak79IE1egWHncUFlwSiFvYIqr5rS2GbxZNO0Mr4vZWrQ1kT2f+zibWM
    47sRIILk58gCZlOICOIznDtS8OwusqT8f8+bniiKLEEadBq6BjIfQgoBYKQIf3Hs
    4LOaMy89bZMtAeVltAfo99yLlkPE/xcWOHnKANYLmQH46innfOPhQuvV5T79dvpr
    8/H7CKtYVvpL6NzsZOtOK/ziC6CFVvkHAqRkHiU1wjW0muF3d24oT6ylwH2Jpk8K
    Tzywq8GhUtorJsK7qBUJyZcGA9iHmMol5ZDPhnMKefCYEkAYvo1E8cb0fHnTsGdd
    IKg1w1KBgxLgYpDbpBnhNEJ+7Zt6y5GU5ha+thUoD8hyzfoatN+C1U5Vj9J4ad61
    8V+HPbPX26oJTccCWhisrtCGPuNWobVuC9linqSP/cFlG9s99iyS7TATjzHYwJJv
    qcld7qv/89E5+Gd0RfSpGCYgziXOH7hnnGe4FvOxDrXPi5aIEi1LXG5hANNnNC0I
    UaI/Whj+6eec5LkOBx/MguN517WNz1zcLu7wSI6PPBxl2p92hRkqXCArWdVsm2iM
    teOsppGV35L6vHJhzl+peqJqZu4HAy1h/ptkiEbcvZ0HfiLP5ZC/YGjYX1U=
    -----END CERTIFICATE-----


    7.2. Copy of the Org Client generated certificate:

    7.2.1. Certificate in text format

    $ openssl x509 -text -noout -in 2019-08-22_OrgaClientCert.pem

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 23477 (0x5bb5)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3
            Validity
                Not Before: Aug 22 11:26:19 2019 GMT
                Not After : Aug 21 11:26:19 2021 GMT
            Subject: C=FR, ST=Ile de France, L=Paris, O=Ellis BBS, OU=Gro\xC3\x9Fe Katastrophe, CN=John Doe (The Original!)/emailAddress=John.Doe@ellis.siteparc.fr
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:96:67:e1:d1:6a:69:05:c8:f5:ea:2f:a9:0d:7a:
                        21:f6:57:2d:24:15:aa:2f:2c:c5:85:79:fe:6f:5a:
                        9a:8c:e6:d4:65:2e:63:b5:ac:39:19:56:53:f9:4d:
                        56:56:80:db:91:5a:d6:de:9d:80:63:e1:00:20:e8:
                        9c:3c:07:5b:1d:67:31:76:f4:06:bb:74:78:d5:57:
                        0e:c9:3c:73:4c:0c:ac:32:8b:0b:8b:20:9b:d5:6e:
                        76:e9:cb:7d:df:5a:07:91:d2:aa:9b:da:59:62:87:
                        d2:b1:fb:f9:42:54:c0:4c:b5:53:5e:2a:85:5a:c2:
                        00:f7:d6:11:db:62:6c:b6:00:92:36:d0:0e:37:43:
                        87:48:04:9f:f9:80:c6:9b:37:e5:6c:6f:e9:c4:5a:
                        3a:1e:2e:be:8c:8d:2d:ad:e6:4c:35:e2:eb:87:e3:
                        b7:50:f5:2d:71:a3:ae:f6:36:7e:53:72:d9:aa:45:
                        0d:4e:eb:4e:cb:ee:c8:9c:19:f8:7f:e9:13:6b:54:
                        df:8f:8e:8b:57:51:a3:c7:26:24:e1:6f:90:dd:e8:
                        3a:f1:a9:01:25:a4:f4:05:3c:73:07:dd:3d:6f:b6:
                        ec:27:a2:f0:c8:27:7a:9a:96:e3:cc:35:1c:1a:df:
                        45:6b:fd:4b:27:05:b1:74:49:b4:b4:f4:43:db:2c:
                        e0:07
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:FALSE
                Netscape Comment:
                    To get your own certificate for FREE head over to http://www.CAcert.org
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment, Key Agreement
                X509v3 Extended Key Usage:
                    E-mail Protection, TLS Web Client Authentication, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
                Authority Information Access:
                    OCSP - URI:http://ocsp.cacert.org

                X509v3 CRL Distribution Points:

                    Full Name:
                      URI:http://test.cacert.org/test-class3-revoke.crl

                X509v3 Subject Alternative Name:
                    email:John.Doe@ellis.siteparc.fr
        Signature Algorithm: sha256WithRSAEncryption
             c0:11:7f:12:84:96:65:b3:70:cc:6c:5b:c6:ca:9a:18:07:d6:
             1e:c5:58:34:46:0d:1d:e9:7d:40:40:a4:65:cf:51:17:d3:ec:
             8f:fa:a3:3c:d2:8b:69:d3:26:cb:4a:7e:a9:13:6c:67:b4:70:
             54:86:55:f8:20:08:49:47:db:2b:ba:f3:9a:aa:a2:0b:60:eb:
             b0:f2:70:70:c6:a5:4c:e4:ce:f0:db:77:48:8f:e5:3c:b4:7d:
             90:60:18:cd:41:d3:74:07:1b:1e:33:e8:bb:cd:2d:c9:5a:4a:
             8c:4a:61:3d:9c:c0:ea:6e:e4:9b:95:04:05:97:c0:40:96:3e:
             43:5b:ca:c5:2a:21:59:6f:79:22:d0:14:b0:72:97:30:56:07:
             3f:26:59:06:98:b4:cf:91:0b:38:b5:ea:26:a7:9b:a2:35:65:
             71:6b:38:c6:6d:54:59:44:bd:9a:71:a4:c0:64:c9:70:78:0e:
             2b:61:07:82:19:68:e9:46:70:fd:4e:73:78:0c:6c:9b:3e:2a:
             cb:d1:55:65:08:c9:b7:d5:d9:53:54:d1:af:d1:56:12:3c:eb:
             e6:b5:ad:e3:7b:0e:f6:10:1e:b6:e4:98:bf:46:9c:40:48:6f:
             b4:cb:c7:b2:9b:9b:2f:06:3d:0a:14:21:35:c5:88:73:75:52:
             a9:3d:ab:00:8a:6d:2d:d5:88:3c:01:2f:e6:33:5a:2a:db:c8:
             59:5e:02:e1:e7:3d:17:1a:0f:e3:54:eb:86:24:29:f5:fa:5c:
             c0:f0:e1:45:2f:78:62:0e:41:da:ca:e9:fd:b7:a3:92:78:0b:
             6a:0a:00:17:e9:d9:16:18:3f:d8:2e:71:cf:e8:62:e2:98:74:
             ab:90:be:7a:d3:2e:0c:f8:a0:05:72:9c:20:1a:da:2d:ed:4b:
             23:9c:2a:5f:4f:93:d8:5e:f2:0c:49:dc:ac:05:a8:5c:72:8d:
             c8:64:92:20:f1:87:4a:c4:93:ab:4d:e7:f3:f9:32:1d:75:e2:
             56:28:4e:62:8b:b7:e3:f2:49:09:c2:85:b8:37:2e:74:68:53:
             0d:35:0e:97:59:f5:cb:1d:e8:4b:87:0c:9a:f2:42:e2:86:18:
             27:dc:1e:7e:d9:80:63:7d:77:a7:2e:96:f7:f7:de:70:64:a0:
             5b:fc:e3:52:0a:7d:4a:af:2e:ad:21:b6:e1:a8:63:ad:89:50:
             cb:38:c4:d8:f2:c8:1e:79:ce:23:57:a9:85:56:f8:32:bb:04:
             b1:18:3f:61:3d:06:3d:c8:11:c2:26:d7:c6:89:f2:75:8a:b1:
             f6:e2:27:e6:64:be:50:44:2b:b1:b2:5f:19:56:ab:f4:8f:78:
             05:11:f4:c2:32:02:57:ac

    7.2.2. Certificate in PEM format

    -----BEGIN CERTIFICATE-----
    MIIF7DCCA9SgAwIBAgICW7UwDQYJKoZIhvcNAQELBQAwYjEZMBcGA1UEChMQQ0Fj
    ZXJ0IFRlc3RzZXZlcjEhMB8GA1UECxMYaHR0cDovL2NhY2VydDEuaXQtc2xzLmRl
    MSIwIAYDVQQDExlDQWNlcnQgVGVzdHNlcnZlciBDbGFzcyAzMB4XDTE5MDgyMjEx
    MjYxOVoXDTIxMDgyMTExMjYxOVowgbQxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J
    bGUgZGUgRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczESMBAGA1UECgwJRWxsaXMgQkJT
    MRswGQYDVQQLDBJHcm/Dn2UgS2F0YXN0cm9waGUxITAfBgNVBAMMGEpvaG4gRG9l
    IChUaGUgT3JpZ2luYWwhKTEpMCcGCSqGSIb3DQEJARYaSm9obi5Eb2VAZWxsaXMu
    c2l0ZXBhcmMuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWZ+HR
    amkFyPXqL6kNeiH2Vy0kFaovLMWFef5vWpqM5tRlLmO1rDkZVlP5TVZWgNuRWtbe
    nYBj4QAg6Jw8B1sdZzF29Aa7dHjVVw7JPHNMDKwyiwuLIJvVbnbpy33fWgeR0qqb
    2llih9Kx+/lCVMBMtVNeKoVawgD31hHbYmy2AJI20A43Q4dIBJ/5gMabN+Vsb+nE
    WjoeLr6MjS2t5kw14uuH47dQ9S1xo672Nn5TctmqRQ1O607L7sicGfh/6RNrVN+P
    jotXUaPHJiThb5Dd6DrxqQElpPQFPHMH3T1vtuwnovDIJ3qaluPMNRwa30Vr/Usn
    BbF0SbS09EPbLOAHAgMBAAGjggFXMIIBUzAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG
    +EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVh
    ZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gw
    QAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEE
    AYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
    dHRwOi8vb2NzcC5jYWNlcnQub3JnMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly90
    ZXN0LmNhY2VydC5vcmcvdGVzdC1jbGFzczMtcmV2b2tlLmNybDAlBgNVHREEHjAc
    gRpKb2huLkRvZUBlbGxpcy5zaXRlcGFyYy5mcjANBgkqhkiG9w0BAQsFAAOCAgEA
    wBF/EoSWZbNwzGxbxsqaGAfWHsVYNEYNHel9QECkZc9RF9Psj/qjPNKLadMmy0p+
    qRNsZ7RwVIZV+CAISUfbK7rzmqqiC2DrsPJwcMalTOTO8Nt3SI/lPLR9kGAYzUHT
    dAcbHjPou80tyVpKjEphPZzA6m7km5UEBZfAQJY+Q1vKxSohWW95ItAUsHKXMFYH
    PyZZBpi0z5ELOLXqJqebojVlcWs4xm1UWUS9mnGkwGTJcHgOK2EHghlo6UZw/U5z
    eAxsmz4qy9FVZQjJt9XZU1TRr9FWEjzr5rWt43sO9hAetuSYv0acQEhvtMvHspub
    LwY9ChQhNcWIc3VSqT2rAIptLdWIPAEv5jNaKtvIWV4C4ec9FxoP41TrhiQp9fpc
    wPDhRS94Yg5B2srp/bejkngLagoAF+nZFhg/2C5xz+hi4ph0q5C+etMuDPigBXKc
    IBraLe1LI5wqX0+T2F7yDEncrAWoXHKNyGSSIPGHSsSTq03n8/kyHXXiVihOYou3
    4/JJCcKFuDcudGhTDTUOl1n1yx3oS4cMmvJC4oYYJ9weftmAY313py6W9/fecGSg
    W/zjUgp9Sq8urSG24ahjrYlQyzjE2PLIHnnOI1ephVb4MrsEsRg/YT0GPcgRwibX
    xonydYqx9uIn5mS+UEQrsbJfGVar9I94BRH0wjICV6w=
    -----END CERTIFICATE-----


    8. Side note

    Is it a OK for our application to let an Organisation Administrator to make use of the same private key / CSR, for generating both an Org Server Cert and an Org Client Cert?
    (0005825)
    Ted   
    2019-08-23 18:42   
    > 8. Side note
    >
    > Is it a OK for our application to let an Organisation Administrator to make use of the same private key / CSR,
    > for generating both an Org Server Cert and an Org Client Cert?

    IMHO it does not make much sense to use the same key for different types of certificates (client/server), but it should not pose a problem for CAcert. Though I did not do elaborate evaluations I don't see how this feature can be abused.

    Of course it is extremly bad practice to use the same key for different certificates, regardless if they are of the same or of the different type.
    The only (more or less) sensible use of a key in multiple certificates is when a certificate is renewed, when the certificate has the same relevant content (CN) and only differs in formal fields (expiration date and similar). I personally would advise against even this practice.
    (0005826)
    Ted   
    2019-08-23 18:44   
    This issue now needs to be reviewed. I'll do one review myself and hope Dirk will do the other one. Or is there any other Software Assessor out there?
    (0005827)
    Ted   
    2019-08-23 18:52   
    Reviewed commit ad77a681eda40a7a0331adffaf67bfb16986adac versus d328ebd6ad641a9caf4c80208a14d3b8f768edc0

    The changes are very minimal, the review is PASSED


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1368 [Infrastructure] general feature always 2015-02-02 22:59 2020-06-27 12:22
    Reporter: jandd Platform:  
    Assigned To: jandd OS:  
    Priority: normal OS Version:  
    Status: solved? Product Version:  
    Product Build: Resolution: fixed  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: setup new webmail system to replace old system
    Description: the current webmail system is based on obsolete Debian Etch (4.0) and needs to be replaced:

    Current Idea:
    - new container with Debian Wheezy (or Jessie if available)
    - setup of Roundcube
    - setup of Community password reset (or a replacement)
    - (optional) LDAP integration
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005893)
    jandd   
    2020-06-27 12:22   
    new Webmail on Debian Buster has been setup


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1241 [Main CAcert Website] misc major always 2014-01-27 12:41 2020-06-27 12:18
    Reporter: hanno Platform:  
    Assigned To: jandd OS:  
    Priority: high OS Version:  
    Status: solved? Product Version:  
    Product Build: Resolution: reopened  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: cacert.org SSL/TLS configuration is bad on many levels
    Description: I just had a look how the cacert.org webpage performs in its SSL/TLS-Settings. See the Qualys SSL test:
    https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org

    It's very bad. Issues that should be adressed:
    * It doesn't support TLS 1.1 and TLS 1.2. There have been various issues with older TLS versions due to the crappy way it combines CBC and MAC, so everyone these days recommends to support TLS 1.2 with GCM.
    * It uses RC4 and MD5 as it's first cipher. RC4 should be avoided and MD5 has been extremely broken for a very very long time.
    * It doesn't ship the class3 as a certificate chain, so people importing the cacert root in their browser will still not see the page cert as valid.
    * Only very limited support for Perfect Forward Secrecy.
    * DH key exchange with 1024 bit only.

    I can give more details and explanations for each of those issues if needed.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files: CAcert-SSLLabsreport-20141018.pdf (111,978 bytes) 2014-10-18 10:50
    http://bugs.cacert.org/file_download.php?file_id=385&type=bug
    CAcert-SSLLabsreport-20141201.pdf (113,642 bytes) 2014-12-01 15:22
    http://bugs.cacert.org/file_download.php?file_id=393&type=bug
    Notes
    (0004626)
    NEOatNHNG   
    2014-03-10 18:09   
    Cipher suite configuration should probably changed to something like

    # CAcert cipher suite configuration
    SSLHonorCipherOrder on
    SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:+3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL


    That doesn't solve the TLS 1.1/1.2 issue, that needs a system upgrade.

    The class3 certificate is not needed in the chain because the certificate is directly signed by the root.

    DH keys with more than 1024 bit are only available in Apache >=2.4.7. Otherwise we would need to patch it ourselves and I wouldn't go down that road right now. That's why in the above cipher spec ECDH is preferred over DH because there the EC key size offers more security than 1024 bit DH. Once Apache 2.4.7 is deployed we should probably switch those because of some uncertainties in EC.
    (0004635)
    NEOatNHNG   
    2014-03-11 23:08   
    New cipher suite configuration was deployed. More ciphers will be available after system update.
    (0004885)
    hanno   
    2014-07-13 12:32   
    I'm surprised that this has been closed as most issues I mentioned are not fixed at all.

    Also, it seems currently the webpage is vulnerable to the CCS injection bug. (it is not THAT severe, because the known attacks only affect newer openssl-versions, but still Adam Langley pointed out that there are likely other attacks without that limitation).
    (0004990)
    sebix   
    2014-09-07 14:10   
    cats.cacert.org has an F-rating: https://www.ssllabs.com/ssltest/analyze.html?d=cats.cacert.org And uses an outdated OpenSSL-Version from prior to June 2014 (nearly 3 full months ago!), as it's affected by CVE-2014-0224. It includes ciphers like RC2, RC4, DES, DES40.
    secure.cacert.org and ocsp.cacert.org only provide up to TLS1.0: https://www.ssllabs.com/ssltest/analyze.html?d=secure.cacert.org https://www.ssllabs.com/ssltest/analyze.html?d=ocsp.cacert.org
    infrastructure.cacert.org uses a cert for monitor.cacert.org
    finance.cacert.org uses a cert from board.cacert.org

    For state-of-the-art crypto in TLS I recommend using 'Applied Crypto Hardening' by https://bettercrypto.org

    CaCert is a showcase project on how crypto should be done and represents an important part of the Web of trust. On the other hand it uses vulnerable and weak crypto on some subdomains.
    (0004991)
    wytze   
    2014-09-07 14:39   
    Please note that this bug primarily concerns www.cacert.org and secure.cacert.org. For these services, we are waiting on the approval of a fairly trivial application bug fix, after which we can re-do the upgrade of the chroot OS environment to Debian Wheezy -- including *much* better openssl support, which will make a considerable rating difference. Still, even without that upgrade, the current SSL Labs rating of these services is "B" when we disregard the trust issue -- an issue, which can only be resolved by getting the CAcert root certificate included in major browser distributions.

    For ocsp.cacert.org, SSL is fairly unimportant: we are receiving ZERO real OCSP requests over SSL (https). The https channel is only used by a few sites trying to establish the security of the site it seems (140 reqs in one full month ...). Still, the "B" rating (again disregarding the trust issue) is fairly decent. We can probably improve it by upgrading the OS to a more recent version.

    cats.cacert.org is another category: this system is not managed by the critical system admin team. Please file a separate bug for this system, so the problem can be assigned to the appropriate sysadmin. At first look, it would seem that a simple reconfig of the Apache webserver there would make a major difference. You could also e-mail cats-admin@cacert.org directly.
    (0004992)
    sebix   
    2014-09-07 15:24   
    Thanks for the response and the explanations, so this issue currently blocked by 0001260.
    For cats.cacert.org I filed a separate issue, referencing this one.
    (0004993)
    wytze   
    2014-09-07 15:41   
    This issue is specifically blocked by https://bugs.cacert.org/view.php?id=1301.
    https://bugs.cacert.org/view.php?id=1260 has a much wider scope, we don't have to wait for a full fix of that one to address the current issue.
    (0005056)
    wytze   
    2014-10-18 10:49   
    By upgrading the CAcert chroot application environment to Debian Wheezy on October 17, 2014 (see https://lists.cacert.org/wws/arc/cacert-systemlog/2014-10/msg00007.html), the SSL support of the cacert.org main webserver has been brought up-to-date. While there is still scope for improvement (e.g. dropping SSLv3 protocol support, dropping 3DES cipher support), the issues raised in this bug entry appear to have been resolved. I will add a note with the current report from www.ssllabs.com for www.cacert.org.
    (0005057)
    wytze   
    2014-10-18 10:52   
    Check the attached file https://bugs.cacert.org/file_download.php?file_id=385&type=bug for the SSLLabs report for www.cacert.org on October 18, 2014.
    (0005059)
    hanno   
    2014-10-19 15:24   
    This issue has now been closed the second time without being fixed. It's getting ridiculous.

    Unfixed and mentioned in the original report:
    * DH key exchange with insecure length

    Other issues:
    * No ocsp stapling
    * SSLv3 is enabled. If you haven't heard it: SSLv3 is insecure. Completely. This wasn't such a big issue when this bug was opened, but we know better now (POODLE attack 4 days ago)
    (0005060)
    wytze   
    2014-10-19 16:04   
    I did not close the issue, but only reported a significant fix, setting status to "solved?" (note the question mark). Another evaluation would have to take place before the issue could be closed. Evidently it cannot be closed yet.

    As for the issues mentioned:
    * DH key exchange with insecure length
    - DH key length was indeed not addressed by the reported fix.
      Increasing the key length is desirable of course, but currently we are limited
      by the options of the deployed software: Debian Stable (Wheezy) with Apache2
      2.2.22. This will have to wait until Debian Jessy gets promoted to Stable.
    * No OCSP stapling
    - Not mentioned in the original issue. I agree that OCSP stapling is a nice
      feature to have, but again we are limited by Debian/Apache. OCSP stapling is
      supported from Apache 2.3.3 onwards I think, so again Debian Jessy will be
      fine.
    * SSLv3 is enabled
    - Yes, it is and will remain so for another while because we are visited by
      clients with MSIE 6.0, which we must support. But we are planning to phase
      them out. In the meantime, we can recommend everyone to use a contemporary
      browser to visit www.cacert.org; such browsers will support TLS_FALLBACK_SCSV,
      which we also support at the server side, so they are protected against
      unintended protocol downgrades.
    (0005061)
    wytze   
    2014-10-20 13:22   
    The SSLv3 issue has been split off in a separate issue:
       https://bugs.cacert.org/view.php?id=1303
    (0005139)
    wytze   
    2014-12-01 15:22   
    On December 1, 2014, support for SSL3 and 3DES has been disabled on the CAcert webserver, and HSTS has been enabled for additional security hardening.
    Check for details https://lists.cacert.org/wws/arc/cacert-systemlog/2014-12/msg00000.html

    Other options mentioned by the reporter of this issue:
    - DH key length
    - OCSP Stapling
    are still waiting for the Debian project promoting Jessy to stable.
    (0005140)
    wytze   
    2014-12-01 15:23   
    Check the attached file https://bugs.cacert.org/file_download.php?file_id=393&type=bug for the SSLLabs report for www.cacert.org on December 1, 2014.
    (0005171)
    sebix   
    2014-12-14 10:47   
    If I haven't overseen something, this issue has been successfully solved for most sites.
    However, lists.cacert.org still supports SSL3 (but all TLS versions up to 1.2) and anonymous ciphers, and the cipher preference could be better. See https://www.ssllabs.com/ssltest/analyze.html?d=lists.cacert.org for more details.
    (0005174)
    Mathias   
    2014-12-14 13:36   
    Hi!

    To summarize things, I checked the situation on the following hosts that I know:

    - blog.cacert.org: seems OK
    - board.cacert.org: NOT OK, see 0001349
    - bugs.cacert.org: seems OK
    - cats.cacert.org: seems OK
    - email.cacert.org: NOT OK, see 0001350 (HTTPS), 0001351 (SMTP via STARTTLS) - sorry for using the same subject (copy&paste error)
    - git.cacert.org: seems OK
    - irc.cacert.org: NOT OK, see 0001346
    - issue.cacert.org: seems OK
    - lists.cacert.org: NOT OK, see 0001347 (HTTPS), 0001352 (SMTP via STARTTLS)
    - secure.cacert.org: seems OK
    - svn.cacert.org: NOT OK, see 0001348
    - translations.cacert.org: NOT OK, see 0001353
    - wiki.cacert.org: seems OK
    - www.cacert.org: seems OK

    Are there any hosts missing?

    I think it's too early for the "all clear" signal...

    If there's a possibility to help in further examining *and* fixing these issues, please give me a hint.

    Regards
    Mathias
    (0005749)
    wytze   
    2019-01-24 11:36   
    Reassigning this to jandd because the only issue blocking closing this one is 0001350, which is assigned to jandd.
    (0005889)
    jandd   
    2020-06-27 12:18   
    issues with email certificates have been resolved


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1350 [Main CAcert Website] misc major always 2014-12-14 12:38 2020-06-27 12:17
    Reporter: Mathias Platform:  
    Assigned To: jandd OS:  
    Priority: urgent OS Version:  
    Status: solved? Product Version: 2014 Q4  
    Product Build: Resolution: fixed  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2014 Q4  
    Reviewed by:
    Test Instructions:
    Summary: {community,email}.cacert.org SSL/TLS configuration rated grade F on SSL Labs
    Description: Hi!

    SSL/TLS issues on {community,email}.cacert.org (roundcube via HTTPS):
    - anonymous cipher suites enabled
    - SSLv3 enabled (POODLE attack)
    - no TLS v1.1
    - no TLS v1.2
    - TLS compression enabled (CRIME attack)
    - no secure renegotiation (RFC 5746)
    - no forward secrecy with reference browser provided

    For short: very extremely bad :-(

    Please see
    https://lists.cacert.org/wws/arc/cacert-sysadm/2014-12/msg00000.html

    Thanks for looking into this issue.

    Mathias
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files: SSL_Labs-email.cacert.org-grade_F-20141214.pdf (169,102 bytes) 2014-12-14 12:38
    http://bugs.cacert.org/file_download.php?file_id=398&type=bug
    SSL_Labs-email.cacert.org-grade_B-20150125.pdf (100,750 bytes) 2015-01-25 17:42
    http://bugs.cacert.org/file_download.php?file_id=405&type=bug
    Notes
    (0005209)
    jandd   
    2014-12-27 11:52   
    did the best to improve the configuration but the possibilities are very limited because the community webmail system is still on Apache 2.2.3/Debian Etch and does not support modern TLS versions or cipher suites.

    At least we get a grade B at ssllabs now.
    (0005268)
    Mathias   
    2015-01-25 17:53   
    Debian 4.0 Etch had received official support until 15 Feb 2010 - which is nearly five years ago! Hm, if this system isn't actually used/maintained by anybody, there might be someone to press the "big red button" for it...
    (0005269)
    Mathias   
    2015-01-25 18:10   
    I just saw on https://wiki.cacert.org/SystemAdministration/Systems/Email that pressing the "red button" is not a good idea.

    From a today's point of view the SSL/TLS configuration is still not satisfying. But the main cause and source of problems (also the ones of this bug) is the VERY OLD system. So, I leave this bug open with stomach pains :-)

    However, thanks, Jan, for digging so deep in this issue.
    (0005888)
    jandd   
    2020-06-27 12:17   
    email, webmail and community get a grade A (ignoring trust issues) now. https has been tested with the ssllabs test, smtp and imap have been tested using https://github.com/drwetter/testssl.sh


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1162 [Main CAcert Website] source code tweak have not tried 2013-04-17 08:15 2020-05-22 11:33
    Reporter: Uli60 Platform:  
    Assigned To: INOPIAE OS:  
    Priority: high OS Version:  
    Status: fix available Product Version: 2013 Q2  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: calcutate (the passwords) hash in php instead of in mysql -> \\
    Description: subtitle: Increase in password problems after production environment upgrade (2013-04-03)

    Support and Critical team received reports via several channels (email, irc) that people with special chars in their passwords had problems in logging on, recovering their passwords

    Question to critical team about current state of "magic quotes" setting after migration is all OFF
    magic quotes setting before migration was ON

    The "magic quotes" feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0

    The support of "magic quotes" probably also relates to other then passwords storage functions in the webdb code
    I'll remember about a problem we had back in 2009 with multipled backslashes in comments fields. PG did some magical on the production system and fixed this problem (this was, before software assessment team started working)

    global task: mimicry the "magic quotes" function in all php code in transfer data to and from mysql database
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0003905)
    INOPIAE   
    2013-04-22 20:35   
    some hints taken from ticket s20130415.71
    38 charcters
    upper and lower case, numbers and these special characters <>:+-?@$&\#
    did not work

    25 charcters
    upper and lower case, numbers and these special characters :$/{[),
    did work
    (0003908)
    INOPIAE   
    2013-04-23 20:17   
    some hints from the next ticket s20130422.77
    @ seems to make problems
    (0003913)
    INOPIAE   
    2013-04-23 20:56   
    pushed the fix with the exchange from mysql_escape_string to mysql_real_escape_string
    https://github.com/INOPIAE/CAcert/commit/f0318d79dbc69e444fee4c085cdb3ee152318e1c
    (0004047)
    BenBE   
    2013-06-11 21:10   
    On Testserver
    (0004375)
    Eva   
    2013-10-08 22:13   
    (Last edited: 2013-10-08 22:14)
    Changed Password to
    a1<>:+-?@$&\#
    and to
    ""1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/
    and to
    যেমন কিছু我的名字是 اسمي如東西таких как нечто
    (bengal, easy chineese, space, arabic, classic chineese, russian)

    Both were accepted and did not produce problems at the login afterwards.

    Then I set the password as Admin again to
    1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/

    I could login without problems afterwards.

    [However when I tried to reset my password to something quite easy I got an error because it was too short, but neither in the error message nor in the interface for resetting passwords I was informed how long a password has to be. (As SE I could set such a short PW.)]

    => ok

    (0004399)
    JensK   
    2013-10-20 13:44   
    (Last edited: 2013-10-20 13:46)
    1. Changed password (as user) to:
    a1<>:+-?@$&\#
    ""1234567890123sflkjasf$/{[),äöüµ@€ßÆïЖÇѢĕ§;:|° ^~‘`´\/
    যেমন কিছু我的名字是 اسمي如東西таких как нечто
    GP10xwzI5i

    Login worked in all cases => OK

    2. Set another user's password (as admin) to the same passwords as above

    Login worked in all cases => OK

    (0004456)
    NEOatNHNG   
    2013-11-19 15:19   
    The proposed fix only replaces mysql_escape_string() by mysql_real_escape_string(). It does nothing to calculate the password hash in PHP instead of MySQL

    => Rejected
    (0005491)
    GuKKDevel   
    2015-12-11 10:08   
    (Last edited: 2015-12-11 14:58)
    Tried to solve the problem with:

    https://github.com/CAcertOrg/cacert-devel/commit/2cb06760223218ca4b2a0482225d6fbfa77a63bb

    and

    https://github.com/CAcertOrg/cacert-devel/commit/a7eaa6d8e14ba7152e3ed3d200b30ad1eed68610

    But didn't test, because I don't have a Testsystem so far.



    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    610 [CATS.cacert.org] User Interface feature always 2008-09-13 04:24 2020-05-22 11:33
    Reporter: jandd Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: use utf-8 as encoding
    Description: Use utf-8 as encoding for all user visible strings to open the possibility to translate to non latin languages.
    Tags:
    Steps To Reproduce:
    Additional Information: Having unix style NL-only line endings would be nice too (saves space and the production system is using Linux anyway).
    Attached Files:
    Notes
    (0001208)
    bigon   
    2008-09-24 08:31   
    Yeah using utf8 everywhere would be nice. Translingo is using utf8 as encoding that could cause some issues when saving strings with non-ascii chars
    (0001210)
    jandd   
    2008-09-25 19:56   
    Using UTF-8 could cause trouble with legacy data in the database. So implementing it in the front end code is not enough. A database conversion script must be implemented too. Maybe a dump and restore with a recode in between will work ... needs testing though.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    755 [CATS.cacert.org] Content (Questions and Answers) major always 2009-07-13 20:23 2020-05-22 11:33
    Reporter: duff Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: 'back'-button shows solution of test
    Description: After failing the cats once and trying it again, you can view the results of the new test when you use the back button of your browser to get back to the results page of the previous test. instead of showing the old results, the page content is updated with the new questions.

    steps to reproduce: start new test, answer all questions (ie randomly) and evaluate. then start a new test and use the back button (open it in a new tab) of the browser to view the results.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files: cat-cacert_bug.png (36,856 bytes) 2012-12-31 01:46
    http://bugs.cacert.org/file_download.php?file_id=308&type=bug
    Notes
    (0001462)
    octo   
    2009-07-26 14:32   
    When pressing the “Back” button to get back to the results page, I was asked if I wanted to re-send the POST data. I accepted without thinking much and got presented a results page with 100% correct answers. The system (the main page, too) now shows two tries, the second of which with perfect scores.

    I didn't try to reproduce for obvious reasons, but I think the required steps to be:
    * Take test, submit
    * Wait for results page
    * Follow an arbitrary link
    * Press “Back” button
    * Accept to re-send POST data

    (Sorry should the formatting screw up, there is no preview option..)
    (0001910)
    Uli60   
    2011-04-06 09:09   
    (Last edited: 2011-04-06 09:10)
    jcurl from 0000919
    While I passed my first test with 88%, I was trying to figure out if there was a way to print the results (the comments given, even if correct) are useful (so I further clicked on some other pages). To get back to the results page, I jumped back some pages (sorry, I don't recall to what exact URL).
     
    What happened, the page was empty (i.e. no questions) and told me I had reached 100%.

    This is now recorded as having done the tests twice, whereby I've only done it once. Results confirmed by logging into secure.cacert.org and also cats.cacert.org, whereby I see the system believes I really did two tests.

    (0002681)
    baarn   
    2011-11-08 19:43   
    confirming this.
    did the test once and failed, did it again and succeded. the other three results are from browsing backwards and forward in the browser. as you can see one test "failed" horribly, but the other two suceeded with 100%

    #-- first two are actual tests
    pos date number of questions correct
    1 2011-11-08 19:08:01 25 72 %
    2 2011-11-08 19:28:34 25 92 %
    #-- below here are fake tests
    3 2011-11-08 19:29:30 25 100 %
    4 2011-11-08 19:29:50 25 32 %
    5 2011-11-08 19:29:57 25 100 %
    (0003583)
    AlainV   
    2012-12-31 01:54   
    (Last edited: 2012-12-31 01:56)
    Confirming how to become an insurer in only 2mn 39":
    please see attachement: cat-cacert_bug.png [^] (36,856 bytes) 2012-12-31 01:46
    Test 100% granted: only clic back, back, back, back... just after completed a previous test.



    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    611 [CATS.cacert.org] User Interface feature always 2008-09-13 04:28 2020-05-22 11:32
    Reporter: jandd Platform:  
    Assigned To: OS:  
    Priority: low OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: use gettext for translations
    Description: instead of using dozens of constants in lang/*.php it would be a good idea to use the proven GNU gettext interface for translation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0001164)
    jandd   
    2008-09-13 04:32   
    This would require work for


       
    • putting marked text snippets into the existing php code

    •  
    • automatic extraction of .pot files (i.e. via make + xgettext)

    •  
    • merge of semi-complete .po files (i.e via make + msgmerge)

    •  
    • compilation of .mo files from .po files

    •  
    • proper initialization of the gettext system at runtime

    (0005520)
    jandd   
    2016-05-03 18:23   
    created cats project in pootle http://translations.cacert.org/projects/cats/


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1431 [Main CAcert Website] GPG/PGP crash always 2018-02-19 09:10 2020-05-22 11:32
    Reporter: wytze Platform: Main CAcert Website  
    Assigned To: GuKKDevel OS: N/A  
    Priority: urgent OS Version: stable  
    Status: needs review & testing Product Version: 2017 Q4  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2017 Q4  
    Reviewed by:
    Test Instructions:
    Summary: GPG/PGP signing request is not properly checked for images
    Description: A GPG/PGP signing request submitted to CAcert should not contain an image (as stated on the submission page). However, the code which validates and massages the signing request, does not properly check for this. As a result, it is possible to (accidentally or deliberately) create a very large signing request, by including a large image. Such requests will cause the communication between the web frontend and the signer machine to fail, and *all* certificate signing is blocked from that moment on.
    Tags: GPG
    Steps To Reproduce: I have not attempted to reproduce the problem, but there is historic evidence present on the production servers. Look for gpg requests 23644, 23645 or 23656 (they are identical). The first one caused a blockade of all CAcert signing from Fridat 16.02.2018 23:01 until Sunday 18.02.2018 16:00, when the problem was recognised and "remedied" by moving the signing request to the side. This particular signing request contained an image of 955207 bytes.
    Additional Information: Due to the nature of this problem, any CAcert user with sufficient points to submit a GPG signing request, is able to block all signing operations. Therefore this bug will be set to private until a solution can be implemented.

    In my view there are two problems to be solved here:
    1. GPG signing requests with images should be rejected or filtered (probably not very difficult).
    2. The communcation process between web frontend and signer should be resistent against huge requests: either handle them correctly, or reject them beforehand (probably difficult).
    If issue #1 is solved, the priority for solving issue 0000002 can be lowered.
    System Description Production version of the CAcert website
    Attached Files:
    Notes
    (0005577)
    GuKKDevel   
    2018-03-05 14:32   
    https://github.com/CAcertOrg/cacert-devel/pull/4/commits/67062a789285c7096e976a7ae7543a569bfc8678


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1441 [test.cacert.org] test.cacert.org block always 2018-06-19 11:28 2020-05-22 11:32
    Reporter: GuKKDevel Platform: Test CAcert Website  
    Assigned To: wytze OS: N/A  
    Priority: immediate OS Version: Test  
    Status: solved? Product Version:  
    Product Build: Resolution: fixed  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: umlauts are not stored/displayed correctly in Testsystem
    Description: Enter a name with an umlaut into https://test.cacert.org/index.php?id=1.

    after verifying with test-mgr login and view accounts data.

    umlaut is dissappeared and some other chars are shown.

    therefore if transferred to original, no CAP-verification is possible, gpg-signing is not possible.
    Tags: browser, certificates, diacritic, legal name, names, organization name, PGP, server certificates
    Steps To Reproduce: Enter a name with an umlaut into https://test.cacert.org/index.php?id=1.

    after verifying with test-mgr login and view accounts data.

    umlaut is dissappeared and some other chars are shown.
    Additional Information:
    System Description Test version of the CAcert website
    Attached Files:
    Notes
    (0005601)
    egal   
    2018-06-19 18:32   
    moved issue to project "test.cacert.org" as it not infrastructure-related
    (0005602)
    egal   
    2018-06-19 19:29   
    This issue happens in productive system, too:

    Created a user with umlauts to my own domain, did NOT click on the confirmation link, but checked this user via support console: Umlauts are "broken".
    (0005606)
    wytze   
    2018-06-22 13:04   
    A bug was found in the PHP5 configuration of the CAcert webdb server as
    described in https://bugs.cacert.org/view.php?id=1441: "umlauts are not
    stored/displayed correctly". This bug actually affects all handling of
    non-latin characters by the CAcert application code, and was introduced
    by the upgrade of the CAcert chroot application environment from Debian
    Wheezy to Debian Jessie on April 16, 2018.

    Starting with PHP 5.6, PHP's default character set is set to UTF-8.
    This is not what the current CAcert application code expects, so we
    need to overrule it with the earlier default "iso-8859-1".
    Note that Debian Wheezy contained PHP 5.4.45, while Debian Jessie
    contains PHP 5.6.33.

    Affected files:
       /home/cacert/etc/php5/mods-available/cacert.ini
       /etc/php5/mods-available/cacert.ini
       /root/chroot/mkchrootenv (also in SVN)

    The same changes have been applied to the test.cacert.org and test2.cacert.org
    test servers.

    Note that new accounts created between April 16, 2018 and June 22, 2018,
    may have been affected by this issue. This will be reported as an incident
    to support@cacert.org for arbitration and possible further investigation.

    See also https://lists.cacert.org/wws/arc/cacert-systemlog/2018-06/msg00002.html


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1443 [Infrastructure] documentation feature N/A 2018-10-26 20:59 2020-05-22 11:32
    Reporter: jandd Platform: Default  
    Assigned To: jandd OS: any  
    Priority: normal OS Version: any  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: write a specification of what the current code in https://git.cacert.org/gitweb/?p=cacert.git does
    Description: There is no proper documentation of the existing code base. This documentation is needed to:

    - write a proper specification for a potential rewrite
    - implement unit tests
    - understand the code base which is especially important for anybody wanting to help
    Tags:
    Steps To Reproduce:
    Additional Information: Documentation should be in a version controlled repository. Human readable (HTML) exports should be generated and published automatically. (See infradocs.cacert.org/jenkins.cacert.org for an example how to do this).
    System Description Default profile.
    Attached Files:
    Notes
    (0005616)
    jandd   
    2018-10-26 22:30   
    I started a new repository at https://git.cacert.org/gitweb/?p=cacert-codedocs.git and setup a Jenkins job https://jenkins.cacert.org/job/cacert-codedocs/ that is triggered by pushes to the master branch of that repository. Pushes to this repository via git+ssh protocol are allowed to members of the git-doc group on git.cacert.org.
    (0005617)
    jandd   
    2018-10-26 23:53   
    I setup codedocs.cacert.org publishing on Jenkins and Apache VirtualHost configuration on web.cacert.org and webstatic.cacert.org. https://infradocs.cacert.org/ has been updated. I requested a DNS CNAME for codedocs.cacert.org to make the generated documentation available at https://codedocs.cacert.org/ I'll update the Jenkins job description when the CNAME has been setup.
    (0005620)
    jandd   
    2018-10-29 21:27   
    The code documentation repository is now mirrored to https://github.com/CAcertOrg/cacert-codedocs to encourage contributions.
    (0005646)
    GuKKDevel   
    2018-11-03 14:09   
    I'll try to get the whole www-directory documented.
    (0005652)
    GuKKDevel   
    2018-11-04 13:13   
    Is there a way to build a cross-reference-list?
    So one can see which file uses which file and is used by which file?
    (0005653)
    jandd   
    2018-11-04 18:24   
    It is possible to use the .. index: macros for cross references but I think it would be better to have something more code centric. I'll see if I find some free time to implement something like the IP address list, ssh key list or certificate list build for infradocs.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1445 [Main CAcert Website] General minor always 2018-11-04 04:41 2020-05-22 11:32
    Reporter: pmoulding@cacert.org Platform: Test CAcert Website  
    Assigned To: OS: N/A  
    Priority: normal OS Version: Test  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: The code has cacert.org hardcoded. Replace with settings file.
    Description: There are 2846 instances of cacert.org in the code. Some are comments and some are constants that should be moved to a configuration file.
    Some are straight text and should be something like the following in a .ini file.
    domain_name = cacert.org
    Some are capitalised and should be something like the following in a .ini file.
    domain_name_display = CAScert.org
    Some are email addresses and could be something like the following in a .ini file.
    lists_email_address = cacert-tverify@lists{domain_name}

    In the config file, domain name would be first then substituted into the following settings.
    Tags:
    Steps To Reproduce: Perform a global scan for cacert.org. You will see lines like the following.
    $body .= "CAcert.org user\n\n";
    Additional Information: This could be added to some common code used for other things including an autoloader. I would not hold up the mysql or other issues for this change.
    System Description Test version of the CAcert website
    Attached Files:
    Notes
    (0005651)
    jandd   
    2018-11-04 09:08   
    this is not an infrastructure (system administration) issue. It does not belong into this bug tracker project but into the main website project.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1444 [Main CAcert Website] source code major always 2018-10-29 20:18 2020-05-22 11:31
    Reporter: bdmc Platform: Default  
    Assigned To: bdmc OS: any  
    Priority: normal OS Version: any  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2017 Q4  
    Reviewed by:
    Test Instructions:
    Summary: Update PHP <? tags appropriately
    Description: Go through source code and
    1. change <?= to <? echo
    2. change <? to <?php
    3. change each() to foreach()

    Tags:
    Steps To Reproduce:
    Additional Information: Part of bug-1260
    System Description Default profile.
    Attached Files:
    Notes
    (0005621)
    bdmc   
    2018-10-30 04:59   
    (Last edited: 2018-11-02 18:05)
    mysql.php seems to be missing from source code for bug-1260. ( should be in includes/mysql.php )
    After discussion, I found that this file is "hand-created" on the appropriate server when the code is deployed.

    All other required files appear to be present, but they may not be found in a test system because references to them are absolute paths.

    (0005622)
    bdmc   
    2018-10-30 05:00   
    There are hard-coded references to "http://cacert.org," which can probably cause trouble in development and test systems.
    (0005641)
    bdmc   
    2018-11-02 18:07   
    This code is now available for testing.
    (0005642)
    bdmc   
    2018-11-02 18:09   
    I found several thousand ( 2500 - 3000 ) instances of required tag changes. Only one instance of each() in the source code that was derived from "release."
    (0005643)
    bdmc   
    2018-11-02 18:10   
    The ending "?>" tag, at the bottom of PHP source files can be removed.
    (0005644)
    GuKKDevel   
    2018-11-02 18:16   
    I think you shuldn't remove the "?>"tag at the bottom of te PHP source files.

    This could cause to assume, some sourcecode could be missing.
    (0005645)
    bdmc   
    2018-11-02 18:23   
    Current "best practice" is to omit that tag, because it prevents anything being put into the HTML that is not intended ( extra new lines, extra spaces, etc. ).

    On the other hand, I just noted it as something to consider. I did not make this change.
    (0005696)
    Ted   
    2018-12-03 20:53   
    Brian, when trying to merge your changes into the test branch I ran into troubles with the "require_once( "general.php" );" in www/index.php which I still do not understand.

    First of all, the path does not look right when compared to the other require_once statements, but even with the path a "not found" error is reported.

    Why did you add this line? Other files seem to include require_once("../includes/lib/general.php") or require_once("../includes/mysql.php"), general.php from include seems only to be used by files which are currently not active in the web page...
    (0005697)
    bdmc   
    2018-12-03 21:36   
    I'm sorry, Ted. That was added for testing, and I forgot to remove it afterwards. Done now. general.php is in includes and includes/lib.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1450 [Main CAcert Website] source code tweak always 2018-11-11 19:12 2020-05-22 11:31
    Reporter: bdmc Platform:  
    Assigned To: OS:  
    Priority: low OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Modify sendmail function in CAcert to include test functionality
    Description: Ensure that the source code for the web site uses only a mail function that is contained within the web site source code.

    This mail function will use configuration variables to control whether it is in Test or Production mode, as well as other options.
    Tags:
    Steps To Reproduce:
    Additional Information: This change requires the Configuration File change described in Bug 1449.
    Attached Files:
    Notes
    (0005662)
    bdmc   
    2018-11-11 20:21   
    (Last edited: 2018-11-14 03:43)
    At present, the only modification to the sendmail() function is to test for a Production State being either Production or Test. If it is Test, then the destination e-mail address is modified to a pre-determined ( configuration variable ) value.

    That modification removes the existing To address from the sendmail() call, and replaces it with an address found in the configuration file.

    (0005669)
    GuKKDevel   
    2018-11-14 14:09   
    did you look up if/where on the test server is a mechanism to reroute emails to test-mgr?

    for testing purpose it is not useful to send all mails to a predefined email-address, because in this case only one person can test at a time. or if sending to a list, all members of that list would get the messages too.
    (0005670)
    jandd   
    2018-11-14 15:09   
    test.cacert.org has a postfix configuration that intercepts all outgoing mails and stores them in a single mailbox that is made available to testmgr via dovecot/IMAP.
    (0005671)
    bdmc   
    2018-11-14 17:56   
    I am informed that the Test Server has special e-mail configuration that can override this change, so am cancelling it.
    (0005674)
    Ted   
    2018-11-15 20:09   
    I agree that this issue is not relevant for bug-1260, and not important for any other issue I'm aware of. There are lots of more important issues open for the "core" developers.

    But it may be a nice warmup excercise for a new developer to provide some possible variants of the sendmail function, so people who want to install their own testserver have some options if they don't want (or are not able to) configure their mailer as it currently is on the testserver.

    So, maybe we keep this issue open with a low priority, just in case someone new is looking for a job?


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1432 [Main CAcert Website] source code feature have not tried 2018-03-11 11:19 2020-05-22 11:31
    Reporter: GuKKDevel Platform:  
    Assigned To: GuKKDevel OS:  
    Priority: normal OS Version:  
    Status: needs feedback Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: since september, 8th, 2017 CAs must check DNS' CAA records
    Description: Dear Board,

    since september, 8th, 2017 CAs must check DNS' CAA records. This decision was taken in spring 2017 by CA/Browser forum which CAcert is member of.

    I can't see that this is already implemented in CAcert's signing software, therefore I would like to ask you to take care of.

    .....
    BR, Alex.
    Tags: browser, certificates, domain, server certificates
    Steps To Reproduce:
    Additional Information: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

    German:
    https://www.golem.de/news/tls-zertifikate-zertifizierungsstellen-muessen-caa-records-pruefen-1709-129981.html
    Attached Files:
    Notes
    (0005579)
    GuKKDevel   
    2018-03-19 13:42   
    Solution wont work on WINDOWS Server as
    Parameter DNS_CAA is not defined at any Windows Server (date 2018-03-18) needed for PHP-function 'dns_get_record'
     * https://bugs.php.net/bug.php?id=75909
    (0005580)
    GuKKDevel   
    2018-04-05 14:01   
    Mail from Benedict to Etienne:
    <snip>
    CAcert cannot be recorded as a full CA at the CABF, since it is not
    according to WebTrust or ETSI 319 411. The CABF activities therefore only
    affect CAcert if they will voluntarily submit to it. Working at CABF is
    currently neither useful nor advisable due to the number of resources
    available in CAcert.
    <snip>
    (0005633)
    GuKKDevel   
    2018-11-01 12:12   
    mail-correspondence:
    https://lists.cacert.org/wws/arc/cacert-policy/2018-03/msg00000.html
    https://lists.cacert.org/wws/arc/cacert-policy/2018-03/msg00001.html
    https://lists.cacert.org/wws/arc/cacert-policy/2018-03/msg00002.html


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1306 [Main CAcert Website] certificate issuing major always 2014-09-15 14:25 2020-05-22 11:30
    Reporter: wytze Platform:  
    Assigned To: GuKKDevel OS:  
    Priority: normal OS Version:  
    Status: fix available Product Version: 2014 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: expired certificates should not be listed in the CAcert CRLs
    Description: The size of the current CAcert Class1 CRL (http://crl.cacert.org/revoke.crl) is 6.5 megabyte. Even the CAcert Class3 CRL (http://crl.cacert.org/class3-revoke.crl) is already 0.75 megabyte. This is causing an unacceptable huge amount of CRL download traffic (currently over 130 GB *per day*). In addition, it is causing verification failures for certain clients, e.g. the Microsoft Crypto API, due to the long time required for downloading the CRL.

    The main cause for the large size of the CRLs is the inclusion of *all* certificates revoked since the start of CAcert (in 2003) in there. As a result, most of the certs listed as revoked have expired a long time ago already, and are thus invalid anyway. There is no RFC requirement to include such expired certs in the CRL; omitting them will result in CRLs of a much more manageable size.
    Tags:
    Steps To Reproduce: The attached logfile shows an example of failure on the Microsoft platform for the command:
        certutil -f -verify -urlfetch -t 30 server.crt
    Additional Information: See also http://social.technet.microsoft.com/Forums/windowsserver/en-US/7e69d0d1-1df2-4830-8d22-f887b6261062/cacert-revocation-server-offline?forum=w7itprosecurity
    Attached Files: crl-size-issue.log (5,228 bytes) 2014-09-15 14:25
    http://bugs.cacert.org/file_download.php?file_id=381&type=bug
    EliminateExpired.pl (4,694 bytes) 2018-11-01 13:03
    http://bugs.cacert.org/file_download.php?file_id=439&type=bug
    EliminateExpired.V2.pl (7,889 bytes) 2018-11-01 13:03
    http://bugs.cacert.org/file_download.php?file_id=440&type=bug
    Notes
    (0005594)
    GuKKDevel   
    2018-06-06 10:34   
    At test.cacert.org is a first workaround available und /home/GuKKDevel/bug-1306/EliminateExpired.pl.

    Since the CRL is built from the Database-file index.txt in the directory named in the configfile, above module reads this file and writes them either to the file for eliminated records or to the next index.txt-file, depending on date of revokation and expiration. both are to be younger than 62 days (2 months) in the past.

    At this stage after that the files index.txt and index.temp.new have to be renamed manually.
    (0005595)
    egal   
    2018-06-06 10:40   
    There is a retention time of three months after the last certificate expired/was revoked before an account can be closed for support. I suggest the same duration for CRL.
    (0005597)
    GuKKDevel   
    2018-06-06 10:57   
    aggreed so lets make it 100 days
    (0005634)
    GuKKDevel   
    2018-11-01 13:03   
    I did a fix.

    appended are two version to choose.
    (0005791)
    Ted   
    2019-04-05 21:33   
    Current signer configuration can be found at https://svn.cacert.org/CAcert/SystemAdministration/signer/


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1254 [Main CAcert Website] website content major always 2014-03-02 16:17 2020-05-22 11:30
    Reporter: BenBE Platform:  
    Assigned To: BenBE OS:  
    Priority: high OS Version:  
    Status: fix available Product Version: 2014 Q1  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2014 Q2  
    Reviewed by:
    Test Instructions:
    Summary: Update the signed PGP-Message containing the fingerprints of CAcert
    Description: Raised by a message on the mailing list there is little apriori information that enables someone distrusting the CAcert class 1 root to verify its integrity and authenticity with the information provided in the root certificate download section (index/3).

    Given you can trace a trust path from your OpenPGP key to the one used to sign the message with the information you should be able to fully verify the information on that page. Unfortunately the current signature only covers the MD5 and SHA1 hash of the certificate - which both constitute weak hashes in todays standards.

    Thus it'd be nice to have the GnuPG signature be updated to include a much broader set of hashes. See below for more details.
    Tags:
    Steps To Reproduce: Try to verify the CAcert Class 1 Root certificate and CAcert Class 3 Intermediate certificate only by trusting the information in the block on index/3 while distrusting MD5 entirely and assuming SHA1 to be unreliable.
    Additional Information: A better informational block captured in the signature might look like:

    ---
    Fingerprints for the CAcert Class 1 Root certificate:
    =====================================================

    for a in md4 md5 sha1 ripemd160 sha224 sha256 sha384 sha512 whirlpool; do \
    openssl x509 -noout -fingerprint -$a -in class1.pem ; done

    MD4 Fingerprint=
        EB:36:C3:01:E3:AC:CE:CE:D1:C1:DF:A5:D8:17:BC:50
    MD5 Fingerprint=
        A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
    SHA1 Fingerprint=
        13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
    RIPEMD160 Fingerprint=
        EA:B7:2F:F1:24:04:4B:57:D4:45:BE:97:E7:3B:CD:92:C2:6D:AE:1D
    SHA224 Fingerprint=
        60:1D:E5:E5:56:C9:91:B6:BD:A6:75:43:FB:5C
        73:71:BD:E1:27:FF:A6:84:24:2F:66:F3:16:88
    SHA256 Fingerprint=
        FF:2A:65:CF:F1:14:9C:74:30:10:1E:0F:65:A0:7E:C1
        91:83:A3:B6:33:EF:4A:65:10:89:0D:AD:18:31:6B:3A
    SHA384 Fingerprint=
        DF:63:0B:17:89:70:CF:75:B1:E2:4E:F0:DD:7B:F5:24
        B6:9D:64:80:6E:D1:EC:07:BF:D5:F7:AB:32:DE:96:51
        9D:46:CC:CA:D3:B3:E3:89:40:6E:7B:A8:2B:55:B4:B6
    SHA512 Fingerprint=
        EB:0A:D8:4F:11:B4:B0:8B:F7:6C:78:66:EF:32:84:22
        92:BB:B2:86:2F:B6:FC:49:C0:A3:F8:07:62:9C:A8:F5
        DD:28:A0:DE:7B:0C:04:D5:66:02:0A:C4:FF:2B:A4:4E
        2F:61:2A:A5:8A:1A:E4:CC:AC:E4:86:D2:44:95:2F:C2
    whirlpool Fingerprint=
        64:9E:AB:97:59:10:EF:E0:DD:78:D2:A8:B4:B1:D1:6B
        A4:08:39:42:50:F0:1A:A8:6E:38:B4:4A:52:2B:35:75
        ED:98:4A:C9:53:77:BD:DA:E2:18:41:8C:BD:21:41:1A
        EC:53:E2:08:FF:21:31:A2:B2:CF:F3:FB:81:79:AF:D7

    Fingerprints for the CAcert Class 3 Intermediate certificate:
    =============================================================

    for a in md4 md5 sha1 ripemd160 sha224 sha256 sha384 sha512 whirlpool; do \
    openssl x509 -noout -fingerprint -$a -in class3.pem ; done

    MD4 Fingerprint=
        60:B7:CD:A2:F2:18:55:3F:1B:F0:43:31:A4:06:82:9C
    MD5 Fingerprint=
        F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42
    SHA1 Fingerprint=
        AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
    RIPEMD160 Fingerprint=
        41:A5:08:B6:C7:35:54:58:0E:F6:EE:C1:86:FA:A3:6D:BF:E9:D5:E1
    SHA224 Fingerprint=
        90:C6:94:5B:4B:91:D3:72:49:BD:CD:D2:A4:51
        CC:24:A6:E0:8A:1D:ED:1E:E3:C4:53:7C:17:21
    SHA256 Fingerprint=
        4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5
        BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
    SHA384 Fingerprint=
        DF:92:B7:83:6F:2A:CD:A0:07:9A:0B:14:7C:C8:D5:92
        20:E7:6C:76:61:9A:75:3C:0B:64:D1:3F:13:E3:A5:CB
        C6:81:92:0A:86:62:A0:95:44:03:DE:10:AB:72:1D:B1
    SHA512 Fingerprint=
        3C:6E:24:87:E4:9F:43:06:15:E4:E5:7C:9D:8D:67:5F
        36:41:FC:00:3F:7D:95:26:DD:BC:AA:35:DA:6D:5D:B4
        B1:59:03:47:62:BA:BA:4C:29:98:60:42:96:EC:C3:11
        5F:AB:81:2F:04:F0:E4:D4:B2:EE:C6:9C:B3:B8:3B:F1
    whirlpool Fingerprint=
        78:64:5C:D2:20:2A:DB:CC:54:3D:26:38:71:E7:17:15
        66:A0:88:47:E3:E2:26:31:B4:CD:63:7B:B1:D2:53:AC
        EE:0B:19:2A:0C:4F:82:6B:AB:8B:14:0F:09:9D:99:BD
        3B:9E:5D:E8:A6:CA:6D:3D:B6:33:08:52:AA:5F:C4:46

    Fingerprints for the CAcert OpenPGP signing key:
    ================================================

    LC_ALL=C gpg --list-key --fingerprint gpg@cacert.org

    pub 1024D/65D0FD58 2003-07-11 [expires: 2033-07-03]
          Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
    uid CA Cert Signing Authority (Root CA) <gpg@cacert.org>
    sub 2048g/113ED0F2 2003-07-11 [expires: 2033-07-03]
    ---

    This also gives instructions on how to obtain the information presented in the signature block and thus helping people verify this data.
    Attached Files: fix1254.sh (2,813 bytes) 2014-11-13 16:09
    http://bugs.cacert.org/file_download.php?file_id=389&type=bug
    fix1254-signer.sh (2,793 bytes) 2014-11-13 16:13
    http://bugs.cacert.org/file_download.php?file_id=390&type=bug
    files-1254.tar.gz (2,657 bytes) 2014-11-13 16:13
    http://bugs.cacert.org/file_download.php?file_id=391&type=bug
    files_for_certs_folder.zip (2,257 bytes) 2014-11-21 10:38
    http://bugs.cacert.org/file_download.php?file_id=392&type=bug
    Notes
    (0004614)
    dominiks   
    2014-03-02 21:52   
    Actually, the simplest to use (from GPG user perspective) seems to me to sign
    the complete key (root.crt, root.der, root.txt) and supply the detached
    signature. It is the usual procedure and then you need only GnuPG for
    verifying and don't have to verify the hashes, find the bloody openssl syntax
    and then compare again manually the hashes.
    (0004705)
    BenBE   
    2014-04-09 21:59   
    (Last edited: 2014-04-09 22:02)
    Updated version shortened to only include SHA1, SHA-256, SHA-512 and Whirlpool for better compatibility to the average user:

    ---
    Fingerprints for the CAcert Class 1 Root certificate:
    =====================================================

    for a in sha1 sha256 sha512 whirlpool; do \
    openssl x509 -noout -fingerprint -$a -in class1.pem ; done

    SHA1 Fingerprint=
        13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
    SHA256 Fingerprint=
        FF:2A:65:CF:F1:14:9C:74:30:10:1E:0F:65:A0:7E:C1
        91:83:A3:B6:33:EF:4A:65:10:89:0D:AD:18:31:6B:3A
    SHA512 Fingerprint=
        EB:0A:D8:4F:11:B4:B0:8B:F7:6C:78:66:EF:32:84:22
        92:BB:B2:86:2F:B6:FC:49:C0:A3:F8:07:62:9C:A8:F5
        DD:28:A0:DE:7B:0C:04:D5:66:02:0A:C4:FF:2B:A4:4E
        2F:61:2A:A5:8A:1A:E4:CC:AC:E4:86:D2:44:95:2F:C2
    whirlpool Fingerprint=
        64:9E:AB:97:59:10:EF:E0:DD:78:D2:A8:B4:B1:D1:6B
        A4:08:39:42:50:F0:1A:A8:6E:38:B4:4A:52:2B:35:75
        ED:98:4A:C9:53:77:BD:DA:E2:18:41:8C:BD:21:41:1A
        EC:53:E2:08:FF:21:31:A2:B2:CF:F3:FB:81:79:AF:D7

    Fingerprints for the CAcert Class 3 Intermediate certificate:
    =============================================================

    for a in sha1 sha256 sha512 whirlpool; do \
    openssl x509 -noout -fingerprint -$a -in class3.pem ; done

    SHA1 Fingerprint=
        AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
    SHA256 Fingerprint=
        4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5
        BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
    SHA512 Fingerprint=
        3C:6E:24:87:E4:9F:43:06:15:E4:E5:7C:9D:8D:67:5F
        36:41:FC:00:3F:7D:95:26:DD:BC:AA:35:DA:6D:5D:B4
        B1:59:03:47:62:BA:BA:4C:29:98:60:42:96:EC:C3:11
        5F:AB:81:2F:04:F0:E4:D4:B2:EE:C6:9C:B3:B8:3B:F1
    whirlpool Fingerprint=
        78:64:5C:D2:20:2A:DB:CC:54:3D:26:38:71:E7:17:15
        66:A0:88:47:E3:E2:26:31:B4:CD:63:7B:B1:D2:53:AC
        EE:0B:19:2A:0C:4F:82:6B:AB:8B:14:0F:09:9D:99:BD
        3B:9E:5D:E8:A6:CA:6D:3D:B6:33:08:52:AA:5F:C4:46

    Fingerprints for the CAcert OpenPGP signing key:
    ================================================

    LC_ALL=C gpg --list-key --fingerprint gpg@cacert.org

    pub 1024D/65D0FD58 2003-07-11 [expires: 2033-07-03]
          Key fingerprint = A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58
    uid CA Cert Signing Authority (Root CA) <gpg@cacert.org>
    sub 2048g/113ED0F2 2003-07-11 [expires: 2033-07-03]
    ---

    @dominiks: Detached signatures for the downloadable files are a ice idea but are impractical in some situations when encoding/line endings differ or other issues on the client side arise for verification. Furthermore does a detached signature only provide one validation - with this somewhat longer text you have different test vectors so you desire to test them or one turns out unreliable.

    (0005104)
    wytze   
    2014-11-13 16:08   
    A script has been written which can be used on the signing server to collect all the signatures requested for this issue. The script is attached.
    (0005105)
    wytze   
    2014-11-13 16:13   
    On November 12, 2014, the fix1254.sh script has been executed on the signing server. Unfortunately, it turned out that the openssl version in use on the signing server is too old to support the 'whirlpool' digest. Hence the script has been edited to omit the generation of 'whirlpool' fingerprints in the documents to be signed.
    The modified script has been attached as fix1254-signer.sh.
    The produced signature files have been attached as a compressed tar file named files-1254.tar.gz.
    (0005115)
    INOPIAE   
    2014-11-21 10:41   
    (Last edited: 2014-11-21 10:44)
    I pushed the fix to https://github.com/INOPIAE/CAcert/commit/c4e1fb4b3d1c155f27679c69728d61918cbb4eeb.
    As I had trouble with the automatic CrLf correction I attached the files for the certs folder in files_for_certs_folder.zip
    I renamed the file fingerprint-long-complex.txt.asc to cacert-pki-fingerprints.txt.asc



    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1451 [Main CAcert Website] certificate issuing minor have not tried 2018-11-18 10:01 2020-05-12 18:27
    Reporter: Ted Platform:  
    Assigned To: OS:  
    Priority: low OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: mail addresses
    Description:








    Reported by dastrath, but translated by me:

    "Support regularly received mails from IANA that a mail has been sent to 192.168.x.x. Every time this happens an IANA ticket is created, which is then closed after a few days."

    First of all there should be some research if it is possible to provoke mails to be sent to RFC1918 mail addresses on the testsystem. Maybe this can happen during registration of a new account, or by trying to add an IP-address as a domain.

    IP addresses should not be accepted as domains at all. I'm quite sure that this is already handled, but I did not test. So, use your imagination and try to get the testsystem to accept (or at least, send a probe mail to) an IP address!
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1039 [Main CAcert Website] web of trust minor have not tried 2012-05-12 16:01 2020-05-12 18:24
    Reporter: INOPIAE Platform: Y  
    Assigned To: OS:  
    Priority: high OS Version:  
    Status: needs review & testing Product Version: 2006  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version: 2006  
        Target Version:  
    Reviewed by:
    Test Instructions: Ggh
    Summary: Cyber peretas nomor 085823771018
    Description: Cyber muslim
    Tags:
    Steps To Reproduce: Tfj
    Additional Information: Yghh
    Attached Files: cap-1.pdf (27,636 bytes) 2012-05-12 20:34
    http://bugs.cacert.org/file_download.php?file_id=258&type=bug
    cap.pdf (27,473 bytes) 2018-12-16 12:37
    http://bugs.cacert.org/file_download.php?file_id=462&type=bug
    Notes
    (0002993)
    MarekMazur   
    2012-05-12 18:33   
    "Program Uwierzytelniania CAcert
    Formularz Weryfikacji To¿samo¶ci"
    instead of
    "Program Uwierzytelniania CAcert
    Formularz Weryfikacji Tożsamości"

    "O¶wiadczenie Kandydata"
    should be
    "Oświadczenie Kandydata"

    "Imiê i Nazwisko:"
    should be:
    "Imię i Nazwisko:"

    "Zgadzam siê z CAcert Community Agreement."
    should be:
    "Zgadzam się z CAcert Community Agreement."

    "Okazane Dokumenty To¿samo¶ci ze zdjêciem:"
    should be:
    "Okazane Dokumenty Tożsamości ze zdjęciem:"

    "Miejsce Spotkanie Twarz± w Twarz:"
    should be:
    "Miejsce Spotkania Twarzą w Twarz:"

    "Jestem cz3onkiem spo3eczno¶ci CAcert, zda3em Assurance Challenge, i posiadam conajmniej 100 pkt potwierdzenia."
    should be:
    "Jestem członkiem społeczności CAcert, zdałem Assurance Challenge i posiadam nie mniej niż 100 pkt wiarygodności."

    Also when name contain character from encoding other than iso8859-1 there is also a problem.

    Account with name(s) containing non-latin1 characters are not useable.
    (0002994)
    mat_64   
    2012-05-12 20:43   
    In the Dutch version there are some inconsistencies: Capitalisation, Use of words, among others. See attached file.
    (0002995)
    INOPIAE   
    2012-05-12 21:00   
    Taken from a mail of Guy Scharinger

    Hello everybody,

    no default detected in the CAP form in French

    Cordialement

    Guy Scharinger
    (0002996)
    jjamor   
    2012-05-13 12:30   
    In the spanish version, I've not seen any special letter problem.

    However, a word is not well translated: "veridicado" should be written "verificado".

    In pottle terminology, it is correct (verified = verificado)
    (0005714)
    alkas   
    2018-12-16 12:37   
    Czech generated version is completely unusable - most letters with diacritic signs are missing! See the example.
    (0005739)
    Ted   
    2019-01-18 21:17   
    This issues occur when languages use non cp-1252 characters, like the eastern european (czech, polish, ...).

    We should probably use the UTF-8 version of the FPDF library: http://www.fpdf.org/en/script/script92.php
    (0005882)
    Adakah   
    2020-05-12 18:24   
    Hhh


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1397 [webstatic] General feature always 2015-08-19 21:50 2020-03-05 08:53
    Reporter: MartinGummi Platform:  
    Assigned To: BenBE OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: evaluate gitolite3
    Description: Debian 8 (jessie) ships gitolite3[1] as successor of gitolite(2.x)

    Please Test gitolite3 and migration of the current repositorys

    [1] https://packages.debian.org/jessie/gitolite3
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005863)
    marthasimons   
    2020-03-05 08:53   
    Test


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1477 [Main CAcert Website] website content minor always 2020-02-11 13:07 2020-02-11 13:07
    Reporter: L10N Platform: all  
    Assigned To: OS: all  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: swag.cacert.eu is no more available
    Description: As the cacert.eu domain is now redirected to cacert.org, the subdomain swag.cacert.eu is no more available. The issue is, that in the time we distributed or sold coffee cups with a QR quode linking to that sub domain.

    I have no idea about the content of this sub domain, as at the internet archive the site is not recorded, but at least it should be redirected to a running service.
    Tags: domain, down, merchandising
    Steps To Reproduce: Take a cacert.org coffee cup:
    https://twitter.com/CAcert/status/1158448103650930690/photo/1

    Follow the QR code.
    It goes to swag.cacert.eu

    At swag.cacert.eu is an error message: Site could not be found. (Seite konnte nicht gefunden werden)
    If I change to cacert.eu it is redirected to cacert.org
    Additional Information: As this cups are still somewhere, it would be nice to fix or redirect it.
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1447 [Main CAcert Website] block always 2018-11-06 11:26 2020-01-23 10:20
    Reporter: pgmillon Platform: Main CAcert Website  
    Assigned To: OS: N/A  
    Priority: urgent OS Version: stable  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Cannot access main cacert website
    Description: Using Firefox 63.0 on Manjaro Linux 18.0 (Kernel Linux 4.14.78-1-MANJARO) I can't access https://www.cacert.org/ website at all to fetch/update my certificates.

    Error code is SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
    Tags:
    Steps To Reproduce:
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files: screenshot.png (35,880 bytes) 2018-11-06 11:26
    http://bugs.cacert.org/file_download.php?file_id=446&type=bug
    Notes
    (0005726)
    L10N   
    2019-01-03 13:17   
    What happens, when you "Add Exception…"?
    Can you add an exception?
    (0005727)
    pgmillon   
    2019-01-03 13:30   
    Hi,
    No I can't add an exception.
    (0005728)
    pgmillon   
    2019-01-03 13:31   
    I looks like a combo: algorithm disabled and can't add exception because of HSTS.
    (0005729)
    L10N   
    2019-01-03 13:42   
    Have you already tried to replace the root certificate, as described here:
    https://wiki.cacert.org/FAQ#New_Root_Certificates
    (0005789)
    pgmillon   
    2019-04-04 09:52   
    Re-importing the root certificate within Firefox solved the problem
    https://wiki.cacert.org/FAQ?action=AttachFile&do=view&target=CAcert_chain_X0F_X0E.pem
    (0005859)
    alkas   
    2020-01-14 15:00   
    Chains, roots, bundles moved to https://wiki.cacert.org/FAQ/NewRoots
    after 20190410
    (0005860)
    h_hucke   
    2020-01-23 08:40   
    I can't access the main site "https://www.cacert.org/" from germany. "No Route to host". "wiki.cacert.org" which is just a few steps away is accessable. Possibly "bit.nl" has anti DDOS meshures in place?
    (0005861)
    egal   
    2020-01-23 10:20   
    There had been an issue on the server which hosts www.cacert.org.

    It required a full power-down-cycle to get it running again (after we tried to reboot the server via software yesterday).

    Some more details can be found at blog.cacert.org, a deeper root-cause-analysis will be done later the day and published there.

    (Small note: This issue has nothing to do with certificate issues on www.cacert.org.)


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1475 [Main CAcert Website] minor always 2020-01-14 15:20 2020-01-14 15:20
    Reporter: alkas Platform: Main CAcert Website  
    Assigned To: OS: Linux  
    Priority: normal OS Version: n/a  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: Linux; see description
    Summary: cacert.org DNSSEC contains links to both old and the new roots
    Description: If you use the "host -t TXT _url.root.g1._fp.cacert.org." command referring the old root, you'll get the link "http://www.cacert.org/certs/root.crt"; if you use the "host -t TXT _url.root_X0F.g1._fp.cacert.org." command, you'll get the link "http://www.cacert.org/certs/root_X0F.crt".
    Possibly the link is forged from the command.(?)
    Both the links are valid, e.g. you can download the old root or the new one.
    Tags:
    Steps To Reproduce: Linux, see description
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1471 [CATS.cacert.org] User Interface major always 2019-10-17 09:51 2019-10-28 21:59
    Reporter: koutras_g@yahoo.com Platform: Default  
    Assigned To: Ted OS: any  
    Priority: high OS Version: any  
    Status: needs feedback Product Version: production  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: https://cats.cacert.org Page error
    Description: When I try to access the cats page I get the below error both on Firefox and Chrome (in incognito mode too).

    Secure Connection Failed

    An error occurred during a connection to cats.cacert.org. PR_END_OF_FILE_ERROR

    Thanks,
    George
    Tags:
    Steps To Reproduce: 1. Start the web browser
    2. Go to: https://cats.cacert.org
    Additional Information:
    System Description Default profile.
    Attached Files: 2019-10-17_11h50_58.png (29,787 bytes) 2019-10-17 09:51
    http://bugs.cacert.org/file_download.php?file_id=469&type=bug
    Notes
    (0005855)
    Ted   
    2019-10-28 21:59   
    Hmm, cats.cacert.org requests a client certificate when you try to connect. If you don't have a client certificate installed it may well be that this is the resulting error. Not really helpful, but sadly that's rather common in this area...

    So, do you have a client certificate installed?


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1305 [Main CAcert Website] certificate issuing major always 2014-09-15 14:07 2019-09-26 18:28
    Reporter: wytze Platform: Main CAcert Website  
    Assigned To: Ted OS: N/A  
    Priority: urgent OS Version: stable  
    Status: needs review & testing Product Version: 2014 Q3  
    Product Build: Resolution: fixed  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: dastrath, Ted
    Test Instructions:
    Summary: CAcert Class1 root certificate needs to be reissued with an updated CDP and a SHA-based signature
    Description: The CAcert Class1 root certificate (THE CAcert root) is suffering from two operational problems:

    1. The CDP (CRL Distribition Point) listed in the root cert is
            https://www.cacert.org/revoke.crl
    But since we do not want to distribute the (huge) CRL through our main web server but rather through a specialized CRL server, the main web server is redirecting all requests for the above URL to http://crl.cacert.org. It turns out that some validation software, for example Microsoft's CryptoAPI, is unable to deal with such HTTP redirects, and reports a verification failure.

    Also, the use of HTTPS in the CDP is *not* recommended, see RFC5280 http://tools.ietf.org/html/rfc5280, in the section Security Considerations:
       When certificates include a cRLDistributionPoints extension with an
       https URI or similar scheme, circular dependencies can be introduced.
       The relying party is forced to perform an additional path validation
       in order to obtain the CRL required to complete the initial path
       validation! Circular conditions can also be created with an https
       URI (or similar scheme) in the authorityInfoAccess or
       subjectInfoAccess extensions. At worst, this situation can create
       unresolvable dependencies.

    So the CDP should be http://crl.cacert.org/revoke.crl.

    2. The current root cert is signed with a MD5 hash. While from a security point of view, the quality of the hash algorithm used for such a trusted cert does not matter, from time to time rumours and sometimes even software appear which choke about this. A SHA-256 based signature would kill all such issues right away.

    Tags: certificates
    Steps To Reproduce: Issue 1 can be demonstrated with a command like this on a Windows 7 system:
         certutil -f -verify -urlfetch server.crt
    for some CAcert Class3 issued server certificate. Output of the above command has been added as attachment to this bug entry.

    Issue 2 is demonstrated somewhat by the currently open Bugzilla issue for Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1058812
    Additional Information: The CAcert Class3 intermediate root certificate has been resigned in 2011 to deal with the MD5 issue (for this cert, being intermediate, it was truly a blocking problem). A similar procedure could be used to resign the CAcert Class1 root. This will likely be a much faster process than waiting for the results of the NRE (New Roots & Escrow) project.
    System Description Production version of the CAcert website
    Attached Files: crl-redirect-issue.log (5,274 bytes) 2014-09-15 14:07
    http://bugs.cacert.org/file_download.php?file_id=380&type=bug
    Global Sign.p7b (936 bytes) 2014-10-04 09:58
    http://bugs.cacert.org/file_download.php?file_id=384&type=bug
    diff-release-bug-1305 (25,355 bytes) 2018-10-31 13:03
    http://bugs.cacert.org/file_download.php?file_id=437&type=bug
    diff (6,678 bytes) 2018-11-16 15:53
    http://bugs.cacert.org/file_download.php?file_id=450&type=bug
    CAcert_Root_Certificates_X0F_X0E.msi (1,593,344 bytes) 2018-11-16 15:53
    http://bugs.cacert.org/file_download.php?file_id=451&type=bug
    CAcert_chain_X0F_X0E.pem (7,503 bytes) 2018-11-18 00:43
    http://bugs.cacert.org/file_download.php?file_id=452&type=bug
    cacert-bundle_X0F_X0E.crt (16,180 bytes) 2018-11-18 00:43
    http://bugs.cacert.org/file_download.php?file_id=453&type=bug
    Poznámka 2018-12-03 223514.jpg (57,342 bytes) 2018-12-03 21:36
    http://bugs.cacert.org/file_download.php?file_id=454&type=bug
    CAcert_Root_Certificates_X0F_X0E.zip (354,216 bytes) 2018-12-14 12:30
    http://bugs.cacert.org/file_download.php?file_id=457&type=bug
    cap_X0F_X0E.docx (56,714 bytes) 2018-12-14 12:30
    http://bugs.cacert.org/file_download.php?file_id=458&type=bug
    cap-blank_X0F_X0E.docx (56,816 bytes) 2018-12-14 12:30
    http://bugs.cacert.org/file_download.php?file_id=459&type=bug
    cap_X0F_X0E.pdf (677,261 bytes) 2018-12-14 12:47
    http://bugs.cacert.org/file_download.php?file_id=460&type=bug
    cap-blank_X0F_X0E.pdf (602,157 bytes) 2018-12-14 12:47
    http://bugs.cacert.org/file_download.php?file_id=461&type=bug
    Notes
    (0005486)
    felixd   
    2015-11-25 23:53   
    There exists a procedure now that will fix this problem:
    https://github.com/CAcertOrg/cacert-procedures/tree/master/rootResignSHA256

    It was executed on test data on the FrosCON.
    The following Audit report documents this execution:
    https://wiki.cacert.org/Audit/Results/session2015.4

    Currently the resulting files (re-singed test certificate, intermediate files, etc) are kept with Board that should soon release them to the public.

    Therefore we should soon (after enough review) be good to go for the real certificate.
    (0005492)
    felixd   
    2015-12-14 21:58   
    We noticed problems related to keeping the serial of the Certificate. We therefore need to adjust the serial number to circumvent "reused issuer and serial"-errors when the Browser has both certificates (i.e. one installed and the other via the SSL Handshake)

    I therefore propose:
    https://github.com/yellowant/cacert-procedures/commit/a73faf1dbd8d88ebc490bd182db8c4c9e0dccaf2
    (0005495)
    cilap   
    2016-02-05 09:50   
    the issue has more pressure in the meanwhile.

    On Java and Eclipse I am getting:
    svn: E175002: SSL handshake failed: 'java.security.cert.CertificateException: Certificates does not conform to algorithm constraints'

    Since oracle has enforced the default handling of rejecting MD2 and MD5 certificates, any SSL connection on Ubuntu 14.04 is failing in combination with a Java VM.
    Sadly the implementation is so stupid, that all certificates are getting read in added to the trust store during first connection. And all certificates are checked, not only the once which should be checked on the chain from the server cert up to the root.

    Is there any plan on reissuing the root certificate with a SHA fingerprint and to get rid of MD5withRSA

    A workaround - but only working till next java update - is to change

    vi /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security

    and to change to this:

    #jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

    #jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

    But this is from security perspective not really nice, that CaCert is still working on his root cert on a "obsoleted" algorithm.

    Hope I could help some guys with my report and the workaround description
    (0005512)
    reinhardm   
    2016-03-14 17:00   
    Today I added the new roots into the browser.
    I am running OpenSUSE and firefox. The roots installed by a mouseckick with no problems. I tried several logins where certificate login is required. All woreked well.
    I removed the old roots and made a login to https://bugs.cacert.org with no problems.
    I will try further on different browsers and OS versions.
    (0005542)
    bjobjo   
    2017-04-04 16:12   
    Hello,
    I increased the priority and severity.
    Firefox is not accepting any more the Root Certificate, so we have to add an exception for every site that uses CA Cert Authority.

    The ticket was opened in 2014 and we still don't have a new root cert.

    The whole reputation of CAcert is in danger if the root certs are not secure.

    Please do urgently fix this.
    Current firefox message for example:

    wiki.cacert.org uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
    (0005586)
    dops   
    2018-04-18 21:37   
    New signed roots are tested on multiple platforms, see here: https://lists.cacert.org/wws/arc/cacert-board/2018-04/msg00014.html
    Some people reported to use the certificates for years without any problems.

    Any person left in the software team is welcome to announce where people can continue working.
    (0005628)
    GuKKDevel   
    2018-10-31 13:03   
    a diff we started in Feb 2017 (Dirk, Aleš, and me)
    (0005638)
    Ted   
    2018-11-01 22:53   
    Golffies left a review at https://github.com/CAcertOrg/cacert-devel/pull/9#pullrequestreview-170861329
    (0005660)
    Ted   
    2018-11-08 08:58   
    Benedikt (who was internal Auditor in 2016) has confirmed that the following certificates are the correct ones:

    Root:
    Serial 0000015
    finger print: 07ed bd82 4a49 88cf ef42 15da 20d4 8c2b 41d7 1529 d7c9 00f5 7092
    6f27 7cc2 30c5
    file:
    http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new1.txt

    Class 3:
    Serial 0000014
    finger print: f687 3d70 d675 96c2 acba 3440 1e69 738b 5270 1dd6 ab06 b497 49bc
    5515 0936 d544
    file:
    http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new3.text
    (0005663)
    Ted   
    2018-11-12 10:06   
    Benedikt also confirms that from his Point of View the incident during the re-signing ceremony had no influence on the "trustworthyness" of the keys/certificates.

    So, even if there were an Arbitration case about the details of the re-signing ceremony (I did not find one yet), I don't see any reason why the re-signed certificates should not be installed.
    (0005665)
    Ted   
    2018-11-12 22:04   
    As part of the review process I checked the differences between the "old" and the "new" root certificates:

    1. Serial number: Old 0x0, New 0xf
    2. Signature Algorithm: Old md5WithRSAEncryption, New: sha256WithRSAEncryption
    3. X509v3 Authority Key Identifier: Old contains keyid, DirName and serial, New contains only keyid
    4. X509v3 CRL Distribution Points: Old URI:https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl
    5. Netscape CA Revocation Url: Old https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl
    6. Authority Information Access: Old (not present), New OCSP - URI:http://ocsp.cacert.org
    7. The signature obviously differs

    Since there is no specification document about the intention of these changes I can only check for harmful side effects and guess about the intentions.

    2. and 7. are obviously intended, these are direct concequences of using a different signing alhorithm

    1. Is a side effect of re-signing. Since RFC5280 requires that "[The serial number] MUST be unique for each certificate issued by a given CA" the serial number cannot be the same as in the old certificate. The exact value of the new serial number is not critical, as long as it remains unique.

    4., 5. and 6. have probably been adjusted to the value which is included in currently issued "normal" certificates. Using http over https to retrieve the CRL makes more sense since the crl itself is signed.

    I'm not sure about 3. https://tools.ietf.org/html/rfc5280#section-5.2.1 does not address using the issuer DN in the X509v3 Authority Key Identifier. Current versions of OpenSSL add it only "if the keyid option fails or is not included" (https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html), which is obviously not the case here.
    So I guess the issuer DN in Authority Key Identifier is just not used anymore in current software.
    (0005666)
    Ted   
    2018-11-13 22:54   
    Wytze has provided a pointer to https://github.com/BenBE/cacert-procedures/blob/root-resign-sha256/rootResignSHA256/procedure.txt

    While it does not explain the reasons, it makes clear that the observed changes are intentional.

    An additional mail provided by Wytze plausibly explains the reasons of removing issuer and serial from X509v3 Authority Key Identifier. Specifically the serial number must be removed (or adjusted), since the new roots will have different serial numbers, so the serial in Authority Key Identifier would otherwise break the certificate chain.
    (0005673)
    alkas   
    2018-11-15 19:21   
    The difference between CAcert Class 3 Root #A418A and CAcert Class 3 Root #0E

    Serial number A418A 0E
    Signature 29:28:85:ae:44:a9:b9:af:a4... 5a:90:16:d0:36:23:56:64:95...
    X509v3 Extensions:
     X509v3 Authority Key Identifier:
      keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
      DirName:/O=Root CA ---
              /OU=http://www.cacert.org
              /CN=CA Cert Signing Authority
              /emailAddress=support@cacert.org
      serial:00

    Thus, only #A418A contains the serial number of CAcert Class 1 root # 00.
    If the Class 3 Root #0E is used, there is only the http link in the following attribute (identical in both Class 3 roots):
    X509v3 Basic Constraints: critical
                    CA:TRUE
                Authority Information Access:
                    OCSP - URI:http://ocsp.CAcert.org/
                    CA Issuers - URI:http://www.CAcert.org/ca.crt
    (where the file ca.crt contains the Class 1 Root #00)

    Now, if the Class 3 Root #0E is used, and the file ca.crt is replaced by Class 1 Root #0F (SHA256 signed),
    the Class 3 Root is no more tied with the specific (#00) Class 1 Root.
    I have tried this certificate chain on my local network with 2 Web servers, no problems.
    The chain is: CAcert Class 1 Root #0F +--> CAcert Class 3 Root #0E --> any certificate issued by Class 3 Root
                                                                      +--> any certificate issued by Class 1 Root
    Issued client/server certificates do not contain any serial # of signing root(s).

    Do anybody knows any objections against this concept?
    (0005675)
    Ted   
    2018-11-15 20:23   
    Hi alkas,

    you are completely right, and were just a little bit faster than me in documenting this facts. :-)

    As I found out while digging through the documentation, this issue has already been noticed during the tests in 2016, it just was not documented here in the bugtracker, but in some external documents.

    Since the issue has been tested in 2016, and the whole thing is quite plausible, once someone explains it to you :-), I don't consider it essential to redo all the tests.

    Of course you are nevertheless welcome to replicate the tests and report the results here. But IMHO this is not blocking the continuation of the review.
    (0005677)
    Ted   
    2018-11-15 22:14   
    (Last edited: 2018-11-15 22:14)
    I had a look at the code changes in the bug-1305 branch from GitHub, and I'd propose a few changes:

    * Remove the Windows Installer file CAcert_Root_Certificates_256.msi and the section referring to it. See my mail to the development list for detailed reasons.
    * Remove the sections of the "old versions". The history of the root keys is documented in the WiKi page https://wiki.cacert.org/Roots/StateOverview

    Of course the WiKi page has to be updated once we roll out bug-1305.

    (0005680)
    GuKKDevel   
    2018-11-16 15:53   
    certificates were renamed to correspond to their version, new .msi-installer was added, page to download (pages/index/3.php) was changed to access the new certificates
    (0005683)
    alkas   
    2018-11-18 00:43   
    Two more formats:
    (0005686)
    Ted   
    2018-11-19 22:54   
    GuKKDevel: The fingerprints in the CAP and COAP forms have to be adjusted to the new root certs. See www/cap* and www/coap*

    I'd propose to add a "(since 2019)" text beside the fingerprints, so people may get the idea that the change was intentional...

    If you want to discuss this drop a message to the development list.
    (0005687)
    Ted   
    2018-11-23 20:59   
    Mental note: The updated certificates have to be installed on the signer machine also!
    (0005688)
    wytze   
    2018-11-24 08:22   
    With respect to note https://bugs.cacert.org/view.php?id=1305#c5687 :
    I agree that for consistency the updated root certificates should also be installed on the signer machine, but please note that for the operation of the signer this does not make any difference. The certificates issued by the signer only depend on the ssl configuration files and the root private key; the root certificate has no influence on this. The practical consequence of this is that installation of the updated root certificates can be postponed (or advanced) to a convenient moment (i.e. the need for other maintenance on the signing server), and does not have to be coordinated with the publication/installation of the updated roots on the webdb server.
    (0005690)
    Ted   
    2018-11-28 11:21   
    GuKK: I merged your changes (only the cap*/coap*-Files) into the test-1260 branch which is installed on the testserver.

    Now you can open the CAP forms in the testserver, and you'll see the next problem: The SHA256 checksums are considerably longer than the old MD5 ones.

    So we'll probably need them on two lines. But then we have to make sure that the resulting form still fits one A4 / Letter page (at least when using the english form)... So, probably, you'll have to dig around a bit more... :-(
    (0005691)
    GuKKDevel   
    2018-11-30 13:16   
    worked on cap.php
    split fingerprint line into two
    form fits to A4 and letter

    all other cap*/coap*-files: couldn find a link to them so waiting for answer from Wytze, who designed them.
    (0005692)
    wytze   
    2018-12-02 08:10   
    There appears to be a serious misunderstanding here ... I am *not* the author or designer of the cap/coap files. Inside for example capnew.php you can find a statement about the origin of these files:

    /*
    ** Created from old cap.php 2003, which used the now obsoleted ftpdf package
    ** First created: 12 July 2008
    ** Last change: see Revision date
    ** Reviews:
    ** printed text by Ian Grigg and Teus Hagen (July 2008)
    ** layout/design by Teus Hagen and Johan Vromans (July 2008)
    ** coding by Teus Hagen and ...

    Teus Hagen, former president of CAcert Inc. is the main author as far as I remember, but he is not involved anymore with CAcert. These files were meant as a replacement for the old forms, which are based on software which was already obsolete in 2008, and even more so in 2018. But nobody in software was ever prepared to spend some time to switch over to the new versions. So they are in the source tree, but not actually used.

    There is no urgent need to update these files. If someone ever decides to switch over to them, adjusting the fingerprint text will be a minor effort.

    By the way, I am kind of surprised that the fingerprint layout issue has been raised. There is no real need to display SHA256 fingerprints rather than SHA1 fingerprints for the new roots, the hash algo for the fingerprint does not need to match the hash algo of the certificate's signature (note that currently they also don't match: MD5 vs SHA1). Just updating the SHA1 fingerprints would have been fine I think.
    (0005693)
    Ted   
    2018-12-03 20:25   
    Hmm, I checked what I had in easy reach to find out which kind of fingerprint/checksum is shown by different software:
    Windows 7: SHA1
    Windows 10: SHA256
    Firefox: SHA1 & SHA256

    So, I guess it's OK to move to SHA256 only fingerprints on the CAP forms...
    (0005694)
    Ted   
    2018-12-03 20:36   
    GuKK: The PDF in letter format is quite full now... Is it easy to reduce the space above the upper box a bit (maybe half), so there's a bit of reserve at the bottom? Some translations need nore room than the english document...

    And, when looking at the german PDF I noticed that at least the CCA agreement term is set in block, which does not look very nice here. It has probably been so forever, but, as above, if it is not much work please change this to ragged margin ("Flattersatz") while we are at it.

    Once more, both of these are nice to have. I'd prefer to get the certs online without these changes in December to getting them online with the changes in January...
    (0005695)
    jandd   
    2018-12-03 20:40   
    openssl 1.1.0g x509 -fingerprint: SHA1
    JDK 8 keytool -printcert: SHA1 & SHA256
    gnutls 3.5.18 certtool --fingerprint: SHA1

    I suggest to put both SHA1 and SHA256 fingerprints on the CAP forms
    (0005698)
    alkas   
    2018-12-03 21:36   
    AFAIK, Windows 10 shows SHA1 fingerprint, too - in system cert. viewer - mmc, module Certificates, select and open cert., view Details, at the end is Fingerprint.
    (0005699)
    GuKKDevel   
    2018-12-07 12:27   
    Ted: It is designed explicitely to place the two boxes "Applicant's Statement" and "CAcert Assurer" at exact the positions where they are, we shouldn't change that.

    The other point: if we make this line two for all languages there is no problem. else I need to find out how to mask a space/blank or we have to change the pootle-files for appening a space to one literal.
    I tried some versions a whole day. (I think we should not implement this for the moment)
    (0005700)
    Ted   
    2018-12-07 22:48   
    As decided on today's meeting (https://wiki.cacert.org/Software/Meeting/20181207) we want to add SHA1 fingerprints.

    The rest of the formatting issues is considered low priority.
    (0005701)
    GuKKDevel   
    2018-12-10 13:13   
    ted: fingerprints asre at the CAP-form. please check and if correct add to testserver.

    https://github.com/CAcertOrg/cacert-devel/pull/19/commits/ca4e5f03eef4a8a174437fb065a967ce92dab847
    (0005702)
    Ted   
    2018-12-12 19:38   
    Current changes are installed on the testserver in branch test-1442.

    I checked the german and the english PDF, both are OK, the SHA1 fingerprints match with what I get shown on Windows 7.

    Now we need at least two test reports of other people (not the developer and the reviewers), so please test the CAP forms on https://test.cacert.org/index.php and leave reports!
    (0005703)
    bdmc   
    2018-12-13 15:28   
    Where do I find documented the appropriate fingerprints for the SHA-256 Root and Class 3 certificates? I would expect them to be noted in this "Bug" documentation, perhaps in the "Instructions for Testers," so that testers could confirm the values found on forms and other places.
    (0005704)
    bdmc   
    2018-12-13 15:29   
    I see on the US-English CAP Form that the address is "Oatley." Is this correct?
    (0005705)
    bdmc   
    2018-12-13 15:31   
    I see the following values on the CAP PDF.

    SHA256: root: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
    and class3: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544
    (0005706)
    kronenpj   
    2018-12-13 21:57   
    The SHA1 and SHA256 checksums are correctly represented in the CAP files, based on the certificates attached as https://bugs.cacert.org/file_download.php?file_id=452&type=bug and https://bugs.cacert.org/file_download.php?file_id=453&type=bug. I did not check the .msi file.
    (0005707)
    L10N   
    2018-12-13 22:03   
    I found this overview on the wiki:
    https://wiki.cacert.org/Roots/StateOverview
    (0005708)
    L10N   
    2018-12-13 22:59   
    No, Oatley is outdated. The current address is:
    Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia
    (0005709)
    GuKKDevel   
    2018-12-14 11:39   
    Changed the address of CAcert Inc. and changed the sha1-fingerprints presentation from 2-char plus colons to 4-chars plus space.
    (0005710)
    alkas   
    2018-12-14 12:30   
    The new version of CAcert root certificates (zipped) and Czech new versions of CAPs. Please have a look.
    (0005711)
    alkas   
    2018-12-14 12:47   
    PDF versions:
    (0005712)
    L10N   
    2018-12-14 13:11   
    I tested CAcert_Root_Certificates_X0F_X0E.zip
    - on Windows 10 Pro, version 1803: unzip, start, there was a warning with a button to abort, i clicked on more information to see another button to proceed anyay, what I did. The I uninstalled the root certs. It finished with an error message :"Error." and two buttons: Yes, No. I clicked on Yes, closed the installer.
    I restarted the installer. As there were no more CAcert roots certs installed, a window asked me to accept the root distribution license. I did, installation was successfull.

    - on Windows 7 Starter 6.1 version 7601: Start the installer, security warning, accept licencese, install process with an window telling me information about the cert beeing installed. clicked OK. installation was successfull
    (0005713)
    L10N   
    2018-12-14 14:39   
    Aleš wrote (by mail): "It’s better to install the roots as anybody with the Administrator’s rights, The Yes-No dialog then will not appear, I guess."

    As I have no admin rights on my emplyers PC, I cannot re-test it this way.
    (0005715)
    Ted   
    2018-12-16 21:40   
    New changes are installed on the testserver: Corrected CAcert postal address and format of fingerprints in the CAP forms
    (0005738)
    bdmc   
    2019-01-18 21:13   
    Just examined the test server, and the current version appears correct.

    The certificate SHA-256 fingerprints on Page 3, and all four CAP forms, agree in format and content.

    The certificate downloaded also appears correct, with the correct serial number and SHA256.

    The four CAP forms have the correct mailing address.
    (0005740)
    alkas   
    2019-01-21 16:08   
    The Wiki pages /CapHTML and /CoapHTML contain both old signatures and CAcert's "classical post" address in Australia.
    (0005741)
    L10N   
    2019-01-21 22:16   
    The Wiki page /CapHTML is updated as follows:
    - old Oatley postal address replaced by Murwillumbah address
    - new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out)

    The Wiki page /CoapHTML is updated as follows:
    - very old Denistone East postal address replaced by Murwillumbah address
    - new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out)

    Finterprints added to both forms:
    class 1: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5
    class 3: A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0
    (0005770)
    Ted   
    2019-02-14 20:43   
    merged updated release branch into bug-1305
    (0005771)
    Ted   
    2019-02-14 21:23   
    (Last edited: 2019-02-14 21:24)
    Karl-Heinz, can you add the SHA1-fingerprints to pages/index/3.php and set CAcert's correct postal address in
    www/cap.html.php
    www/capnew.php
    www/coap.html.php
    www/coapnew.php

    Though I don't know exactly when these pages are used, we should not have documents with the outdated postal address on the main server.

    The c(o)ap* files also miss the SHA1 fingerprint. I'd propose to add them while you are already at it. But that's less important at the moment, if problems (for example with formatting) should occur please just add a note here and concentrate on more important things.

    (0005780)
    bdmc   
    2019-03-08 01:24   
    I have updated the address in all of the above four files.

    However, they also appear to contain the SHA1 fingerprints already. Perhaps someone else did that.
    (0005781)
    Ted   
    2019-03-12 22:51   
    Changes are merged into test-1442 branch and installed on https://test.cacert.org
    (0005782)
    Ted   
    2019-03-17 22:28   
    Brian, in pages/index/3.php the sha1 checksum is still missing. Can you add it?
    (0005783)
    bdmc   
    2019-03-19 18:23   
    Done and checked in.
    (0005784)
    Ted   
    2019-03-31 13:31   
    (Last edited: 2019-03-31 13:37)
    Brian pointed me to the GPG signed message on the key download page (pages/index/3.php), which still uses the old fingerprints.

    Since at the moment I don't know who may create a new message of this kind (access to the signer machine would probably be needed!) I asked Brian to remove the message from the page.
    If we find a way to create a GPG message with the new fingerprints (now or later) it would make sense to add it once more.

    The second GPG message is, more or less, a "self signature of the GPG key". While IMHO this is not really useful, does not hurt, so I'd keep it.

    (0005785)
    bdmc   
    2019-03-31 14:33   
    In one of my versions of my "fix," I had removed that heading, but in the final one I had put it back.

    It is now moved to within the "commented out section," and a comment has been added, trying to explain what we did.

    All checked in.
    (0005786)
    Ted   
    2019-03-31 15:07   
    Great! I'll have a look at it during the next hours...
    (0005787)
    Ted   
    2019-03-31 18:37   
    Reviewed commit da4c71a246b80f399f3a12823ac03fa8c40f42bb versus current release commit 8ab79aad9fd3685129060854340dccd5dbf01a1d

    Though some formatting problems remain, especially in www/capnew.php the review is PASSED
    (0005788)
    wytze   
    2019-04-01 12:46   
    With respect to https://bugs.cacert.org/view.php?id=1305#c5784:

    The procedure for generating these GPG signatures is documented in https://bugs.cacert.org/view.php?id=1254

    The script mentioned there was left on the signer after its execution on Nov 11, 2014, and could be run again after installing re-signed certs on the signer. Obviously this does require visit to the signer machine by two critical system administrators and one access engineer.
    (0005790)
    egal   
    2019-04-05 20:39   
    There are some format issues (especiall in www/capnew.php), but as this CAP-form is (normally) not in use, the review is PASSED.

    PGP/GnuPG-signatures are currently commented out, but can be added at a later time (as this requires a visit of the signer, can be done together with another bug).
    (0005792)
    Ted   
    2019-04-07 12:43   
    Sent patch request to critical team, but without CAcert_Root_Certificates_X0F_X0E.msi, since I don't know how I should review that...
    (0005793)
    wytze   
    2019-04-10 10:19   
    The patches have been installed on the production server on April 10, 2019, including the re-signed root certifcates.
    See also the log message sent to the cacert-systemlog mailing list here: https://lists.cacert.org/wws/arc/cacert-systemlog/2019-04/msg00002.html
    (0005794)
    wytze   
    2019-04-10 10:21   
    See note https://bugs.cacert.org/view.php?id=1305#c5793
    (0005795)
    wytze   
    2019-04-10 10:30   
    One thing to note: since the patch has added the re-signed root certificates with new names to the system and left the old root certificates in place under their original names, it is still possible that users and applications retrieve the old root certificates. And observing the Apache2 access log, this is indeed the case -- clearly there are some applications which have
    these names/paths built-in. They will not benefit from this patch.
    To tackle this problem, one could consider to change the old certificates to copies of their new counterparts, so users and applications will retrieve the new version irrespective of the name/path used.
    (0005796)
    Ted   
    2019-04-10 18:54   
    According to Wytze's note I re-open this case to create a follup-up patch.
    (0005797)
    Ted   
    2019-04-10 19:03   
    (Last edited: 2019-04-10 19:04)
    Probably the easiest solution will be to rename the old certificate files to something else (like root_X00.* and class3_XA418A.*) and copy the new files to the old names also. So in the future we'll use root.* and class3.* for the "current" certificates, and in addition make the whole history of certificates available using the names with attached serial numbers.

    (0005798)
    bdmc   
    2019-04-11 00:05   
    As discussed above, I have renamed the old certificate files to include their Serial Numbers in the file name.

    I have also copied the current, latest, certificate files to "root.crt" and "class3.crt" to allow for systems that do not properly follow the URI.
    (0005799)
    bdmc   
    2019-04-11 00:06   
    Changed and checked in as per your notes.
    (0005800)
    alkas   
    2019-04-11 17:27   
    I have CAcert to issue a new certificate yesterday evening. I have received the following E-mail then, containing two fingerprints of CAcert root(s?).
    The first fingerprint belongs to unknown certificate, and the second fingerprint belongs to the old Class 1 root.
    I guess that should be corrected.
    ----
    Hi Aleš,

    You can collect your certificate for alkas@volny.cz by going to the following location:

    https://www.cacert.org/account.php?id=6&cert=645849

    If you have not imported CAcert's root certificate, please go to:
    https://www.cacert.org/index.php?id=3
    Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
    Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

    Best regards
    CAcert.org Support!
    (0005801)
    wytze   
    2019-04-12 08:57   
    With respect to https://bugs.cacert.org/view.php?id=1305#c5800 :
    - the first fingerprint shown is the MD5 fingerprint of the "old" root certificate
    - the second fingerprint shown is the SHA1 fingerprint of the "old" root certificate
    - clearly these messages should be replaced by:
      SHA256 fingerprint: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
      SHA1 fingerprint: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5
    - the affected source file is CommModule/client.pl
    (0005802)
    bdmc   
    2019-04-12 16:16   
    client.pl has been corrected and checked in.
    (0005803)
    Ted   
    2019-04-15 19:52   
    (Last edited: 2019-04-15 19:53)
    A grep for the old fingerprints returns more hits in files www/ttp.php, pages/index/3.php and pages/index/16.php. 3.php and 16.php include the fingerprint also in a PGP signed message, which should be commented out completely...

    (0005804)
    bdmc   
    2019-04-26 14:08   
    There is a reference in 16.php to 17.php, which is intended to install the Microsoft Certificate.

    Should this be removed?
    (0005805)
    bdmc   
    2019-04-26 14:25   
    Files ttp.php and 16.php have been corrected and checked in.

    The reference found in 3.php is inside the commented out message about the GPG signature.
    (0005809)
    Ted   
    2019-05-14 20:17   
    The fixes of bug-1305 branch have been merged into the (old) testserver. Please try and check if the reported problems of wytze and alkas (and myself) are fixed, and report here!
    (0005810)
    alkas   
    2019-05-25 21:03   
    There are the old fingerprints in letters as this:
    --------------------------------------
    Hi <user>,

    You can collect your certificate for <user-email> by going to the following location:

    https://www.cacert.org/account.php?id=15&cert=797035

    If you have not imported CAcert's root certificate, please go to:
    https://www.cacert.org/index.php?id=3
    Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
    Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33

    Best regards
    CAcert.org Support!
    (0005811)
    L10N   
    2019-05-26 18:18   
    Where is the text of this e-mail stored?
    (0005812)
    GuKKDevel   
    2019-05-27 08:29   
    Message comes from -> CommModule/client.pl
    (0005813)
    GuKKDevel   
    2019-05-27 08:55   
    should be correct see https://github.com/CAcertOrg/cacert-devel/blob/bug-1305/CommModule/client.pl
    (0005814)
    bdmc   
    2019-05-31 04:40   
    client.pl should have been corrected in the April 12th check-in.
    (0005815)
    Ted   
    2019-07-04 23:05   
    After some hassle, the (old) testserver is now running the modified client.pl

    I created one certificate, and the mail (on mgr.test.cacert.org:14843) contained the new checksums. It looked acceptable, though not really nice...

    Any other test reports?
    (0005845)
    Ted   
    2019-09-26 18:28   
    I updated https://wiki.cacert.org/Roots/StateOverview to match the current status...


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1468 [Infrastructure] general major always 2019-09-26 09:32 2019-09-26 10:39
    Reporter: drtjstone Platform: Main CAcert Website  
    Assigned To: egal OS: N/A  
    Priority: normal OS Version: stable  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Getting SSL_ERROR_HANDSHAKE_FAILURE_ALERT on Firefox and other certificate problems
    Description: See attached screenshot from logging into main site.
    Tags: browser, server certificates
    Steps To Reproduce: Logging into the main site or https://cats.cacert.org/
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files: Screenshot 2019-09-26 at 10.20.09.pdf (290,916 bytes) 2019-09-26 09:32
    http://bugs.cacert.org/file_download.php?file_id=468&type=bug
    Notes
    (0005844)
    jandd   
    2019-09-26 10:28   
    @dirk could you check the certificate chain for the blog container's Apache httpd? Maybe it still has the old intermediate/class3 and root/class1 certificates.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1467 [Main CAcert Website] certificate issuing major always 2019-09-19 19:54 2019-09-20 17:46
    Reporter: tim.devries Platform: Default  
    Assigned To: OS: any  
    Priority: urgent OS Version: any  
    Status: new Product Version: 2015 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Code signing cert access not showing within website.
    Description: Background: I have 100 points from several years ago. I’ve filled out the request to get it enabled. No response.

    Is anyone needed to look after this? I can devote time to it.
    Tags:
    Steps To Reproduce: Login under my username/password.
    Additional Information: Please email for credentials to confirm, if allowed/necessary.
    System Description Default profile.
    Attached Files:
    Notes
    (0005838)
    Ted   
    2019-09-20 17:46   
    Part of the current problem is that support is seriously understaffed.

    Sadly this cannot be easily remedied, since support staff members need some additional requesites (a background check), which takes several months to complete if enough Arbitrators are available to do the job.

    I'll try to push your application by personal contact, but cannot promise anything...


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1427 [Main CAcert Website] certificate issuing major always 2017-06-19 22:05 2019-09-10 21:33
    Reporter: ntiemare0 Platform: Main CAcert Website  
    Assigned To: OS: N/A  
    Priority: normal OS Version: stable  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Unable to obtain certificate through API/CCSR.php
    Description: I have been trying to automate the issuing of my CA certs, using the api found at cacert.org/api/ccsr.php

    I'm creating the CSR and requesting the cert through PHP and Curl, passing the information though post. but, instead of returning the certificate, it responds with "404,Your certificate request has failed. ID:" and when i check my CA listing page, it lists a "pending" cert with no serial.

    I've double and triple checked everything, but can't seem to get it to work.
    Tags: api Client Certs
    Steps To Reproduce: following the parameters at https://wiki.cacert.org/Software/CertApi, submit an HTTP request for a CA Cert. see attached file for used php code.
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files: auto_cert.php (1,438 bytes) 2017-06-19 22:05
    http://bugs.cacert.org/file_download.php?file_id=420&type=bug
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1460 [Main CAcert Website] account administration minor always 2019-02-27 21:00 2019-02-28 10:36
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Show mailserver error when creating new account
    Description: When creating a new account, and the check of the mail address fails because of the mailserver not accepting the address. currently only "Failed to make a connection to the mail server" is shown as error message.

    Showing the reason why the mailserver rejected the address would help in support to give some advise to the potential new member.

    Until 0001288 the error line of the mailserver was shown if the check failed in the last "RCPT TO..." step. The commit 86c04b83870dc547fdcef25f91b1bc3b1de53619, which effectively removed the message, looks like this may have been accidentially due to copy/paste procedures.

    The easiest solution of this issue would be to remove the lines 624 to 627 in the commit above. But when tackling this issue, maybe the error reporting could be improved in more situations...
    Tags:
    Steps To Reproduce: Try to create an account for an existing domain, not non existing account. Thesystem reports "Failed to make a connection to the mail server" but should mention something like "550 Requested action not taken: mailbox unavailable".
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1457 [bugs.cacert.org] misc minor always 2019-01-27 14:46 2019-02-25 22:07
    Reporter: Ted Platform:  
    Assigned To: egal OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Please increase session timeout on bugs.cacert.org
    Description: Hi, could the session timeout on bugs.cacert.org be increased? It looks like it is currently something around 15 or maybe 30 minutes.

    It is very frustrating when I try to write a comment, looking up some things to make sure I don't tell bullshit, just to have to start all over again because of a session timeout message.

    I'd ask for an absolute minimum of 1 hour for the timeout, but preferable it should be 4 or even 8 hours.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005756)
    jandd   
    2019-01-27 15:52   
    Hello Dirk, I do not know Mantis well enough to help here. Do you know how to increase the session timeout?
    (0005759)
    wytze   
    2019-01-30 07:58   
    This is an annoyance indeed. What happens to me fairly often is that I open a particular bug page in my browser, leave it there for a couple of hours while looking into the actual problem (and possibly get distracted by other stuff), then return to the open page and add a comment -- which fails due to the timeout, and all data entered is lost :-(
    Even with a much longer timeout one might run into this trap, the safest solution is to refresh the page in the browser before entering new data. But it's easy to forget ...
    (0005762)
    egal   
    2019-02-01 15:38   
    I just changed the timeout-variable for mantis from 5 minutes to 30 minutes. Please verify, if the timeout is now extended ... we should then find a consens between security and comfortability ...
    (0005773)
    Ted   
    2019-02-14 22:26   
    Test, last action was 22:50
    (0005779)
    Ted   
    2019-02-25 22:07   
    I just found out that the default refresh time seems to be set to 30 minutes. So, maybe setting the timeout to 35 minutes will prevent most of the incomfortabilities? At least I just set my refresh timeout to 10 minutes, so I should already be on the safe side... :-)

    BTW, what is the attack scenario which is prevented by a short timeout? It's hard to judge "security" without knowing what may happen...


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1459 [Main CAcert Website] my account major always 2019-02-22 11:37 2019-02-25 21:33
    Reporter: wytze Platform: Default  
    Assigned To: GuKKDevel OS: any  
    Priority: immediate OS Version: any  
    Status: fix available Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: e-mail verification fails for many addresses since upgrade from PHP 5.5 to PHP 5.6
    Description: e-mail verification fails for many e-mail addresses since the upgrade of PHP 5.5 to PHP 5.6 on the CAcert main webserver.
    This is due to the fact that PHP 5.6 has introduced a new parameter for setting up TLS/SSL connections, verify_peer_name, which is set to TRUE by default:

    http://php.net/manual/en/context.ssl.php#refsect1-context.ssl-changelog says

    5.6.0 Added peer_fingerprint and verify_peer_name. verify_peer default changed to TRUE.

    As a result, any mail address which is served by a mail server which has been setup with a certificate whose CN does not match the MX name, will fail the checkEmail() validation in www/includes/general.php. The error message logged on the server (but not shown to the user :-() is (mailserver.domain.name and mx.domain.name are hypothetical names here):

    PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=`mailserver.domain.name' did not match expected CN=`mx.domain.name'

    While such a mail server setup is not 100% clean, it is very common, especially with hosters hosting many different domains, and CAcert users should be able to get their e-mails verified for such domains (like they were in the past, when PHP 5.5 was still deployed).
    Tags:
    Steps To Reproduce:
    Additional Information: The following code fix solves this problem:

    --- general.php.org 2019-02-14 09:17:44.753793847 +0100
    +++ general.php 2019-02-22 12:35:20.403100537 +0100
    @@ -593,6 +593,7 @@
                                    $fp_opt = array(
                                            'ssl' => array(
                                                    'verify_peer' => false, // Opportunistic Encryption
    + 'verify_peer_name' => false, // Opportunistic Encryption
                                                    )
                                            );
                                    $fp_ctx = stream_context_create($fp_opt);
    System Description Default profile.
    Attached Files:
    Notes
    (0005774)
    wytze   
    2019-02-22 11:39   
    (Last edited: 2019-02-22 11:42)
    Due to the severity of this problem, which affects many domains as proven by a quick scan of the error logs for this specific message, the code fix listed in the Additional Information section has been deployed immediately on the production server as an emergency patch. Testing is therefore only possible on the test1.cacert.org server.

    (0005775)
    wytze   
    2019-02-22 16:21   
    Retrospective log analysis of the production server reveals that this failure has occurred 9580 times, between Apr 16 16:08:39 2018 and Feb 22 11:46:52 2019. Hence an emergency patch seems justified here.
    (0005776)
    wytze   
    2019-02-22 16:23   
    For proper testing on test.cacert.org, the checkEmailDummy function needs to be eradicated!
    (0005777)
    Ted   
    2019-02-25 21:31   
    Created new branch bug-1459 with Wytze's changes and pushed it to github and git.cacert.org.

    Created new test branch test-1459 with enabled mail checking and checked it out on test.cacert.org. Note that Wytze's changes are not yet merged in, so it is now possible to to tests with the old version of mail checking.
    (0005778)
    Ted   
    2019-02-25 21:33   
    Reviewed the change. It is PASSED because there is no policy stating that SSL certificates of mail servers are checked strictly. Usually we even accept unencrypted mailserver connections...


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1456 [Main CAcert Website] organisational section minor always 2019-01-22 21:39 2019-02-14 21:35
    Reporter: L10N Platform: Default  
    Assigned To: GuKKDevel OS: any  
    Priority: high OS Version: any  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: COAP web form is broken
    Description: When I try to finish "https://wiki.cacert.org/CoapHTML" by using the
    button "Submit the form: generate PDF file", I receive an error message:
    "pdf.cacert.eu" could not be found.
    The URL, that doesn #t work:
    https://pdf.cacert.eucacertpdf.php?name=Patent-+und+Rechtsanwaltskanzlei+..."
    What can I do to make it working?
    Tags: coap, organisation assurance, Wiki
    Steps To Reproduce: 1. open the web form at "https://wiki.cacert.org/CoapHTML"
    2. fill in the information
    3. click on "Submit the form: generate PDF file"
    4. Error message "pdf.cacert.eu" could not be found
    Additional Information: information came by user T.R. trought the webform
    System Description Default profile.
    Attached Files: access.log (3,092 bytes) 2019-02-01 15:49
    http://bugs.cacert.org/file_download.php?file_id=464&type=bug
    error.log (503,093 bytes) 2019-02-01 15:49
    http://bugs.cacert.org/file_download.php?file_id=465&type=bug
    Notes
    (0005742)
    L10N   
    2019-01-22 21:40   
    This bug has some importance, as the committee likes to push OrgA (organisation assurance).
    (0005743)
    L10N   
    2019-01-22 21:45   
    I contacted the owner of cacert.eu. For some time, there was a new website, but today, the URL is redireted to cacert.org. He does not know, where pdf.cacert.eu was pointed. Maybe it was something new with Java?

    (Original messages in German:
        pdf.cacert.eu -> war das nicht "dein" neuer Server?
        Wenn ich www.cacert.eu aufrufe, ist die neue Seite weg und ich werde auf
        org umgeleitet. Weisst du, ws mit pdf. passiert ist?

    Nope ... Nur die Domain ist meine ...
    Ich weiß aber auch nicht mehr, wo PDF.c.eu bin zeigte ... :-(
    Es kann durchaus sein, dass das auf eine neue Umgebung gegangen ist, die schon mit Java (?) Lief ...
    Aber ... Das generieren der CAP bzw COAP sollte auch in der alten Umgebung möglich sein ...
    (0005744)
    L10N   
    2019-01-22 21:45   
    I tested what happens, if I change the URL from pdf.cacert.eu to pdf.cacert.org It did not match neither.
    (0005745)
    L10N   
    2019-01-22 21:48   
    Next step, I had a look to the changes that happened to wiki.caccert.org/CoapHTML (at "info") and saw, that the .eu address was added in 2013 by inopiae. So I created a test content form at wiki.cacert.org/CoapHTML and then, at the error page, I replaced in the URL "pdf.cacert.eu/cacertpdf.php" with "www.cacert.org/coapnew.php" (remaining everything before and after as it was) and reloaded the page again.

    Half success: it created a complete PDF form - only the fingerprint and the postal address are as in 2011 (Denistone East) and not as on the wiki page (as in 2019).

    This can help for the moment.
    (0005746)
    L10N   
    2019-01-22 21:49   
    To get back the service we had before:
    Where pointed pdf.cacert.eu?

    If we will run the old service at www.cacert.org again:
    How can we change address/fingerprint to use the form with the old address?
    (0005747)
    L10N   
    2019-01-22 22:04   
    Following the internet archive, cacert.eu ("CAcert community portal") has gone between September 14th, 2017 and March 28th, 2018.
    https://web.archive.org/web/20170914222137/http://cacert.eu/
    (0005750)
    L10N   
    2019-01-26 22:36   
    I changed the wiki code from coapHTML and coapHTML_de as described in http://bugs.cacert.org/view.php?id=1456#c5745

    The issue still remaining: Fingerprint and postal adress are still wrong, as the came not from the wiki, but from somwhere else. I suppose, it is to change at http://svn.cacert.org/CAcert/Forms/src/form_fies.php (but this is just a supposition and I cannot test it, as I do not have writing access to svn).
    (0005751)
    L10N   
    2019-01-26 23:56   
    A community member wrote:

    > Unfortunatelly the exchange of the address parts does not work, when I
    > do it. Please see the attachment.
    >
    > What can I do else?
    > I think, if nothing else works, I can print the browser page. I will ask
    > the assurer. At last it's all paper...

    I tried it on Firefox, PaleMoon, Vivaldi and Chromium browsers. For me, it worked on Firefox and PaleMoon, but not on Chromium and Vivaldi browsers. There it gave the same error message as reported by the member.

    -----------------------------------
    Datei nicht gefunden
    Die Datei https://www.cacert.org
    /coapnew.php?name=Example+Company+AG&
    address=Hans-Knöll-Straße+1,+07745+Jena,+Germany&
    type=Partnerschaftsgesellschaft&state=eingetragen (schnipp)

    konnte nicht
    gefunden werden. Bitte überprüfen Sie die Adresse und versuchen Sie es
    erneut.
    Könnte der Eintrag umbenannt, gelöscht oder verschoben worden sein?
    Enthält die Adresse einen Rechtschreib-, Groß-/Kleinschreibungs- oder anderen
    Schreibfehler?
    Haben Sie ausreichende Zugriffsrechte für den angeforderten Eintrag?
    (0005752)
    Ted   
    2019-01-27 13:48   
    Moved the issue to the "Main Website" project, since the major problem obviously is coap.php respectively coapnew.php on the main website.
    (0005753)
    Ted   
    2019-01-27 13:58   
    The problem seems to be coapnew.pdf.

    When I access https://test.cacert.org/coapnew.php I get a "file not found" error. When trying to start the script from the shell it says :
    require_once(/usr/share/tcpdf_php4/config/lang/eng.php): failed to open stream: No such file or directory in /home/cacert/git/cacert/www/coapnew.php on line 319

    Probably the TCPDF library is not installed on the webserver. Wytze can you have a look at this and install the library? Or forward this case to someone who can?
    (0005754)
    Ted   
    2019-01-27 14:02   
    Note that this script is (as far as I can see) nothing that has to be run on the critical system. It just creates a nice looking PDF from the form parameters which are transferred from the wiki.

    So It was very sensible to install the script on cacert.eu, since changes to non-critical systems are much easier (less formal) than changes to the critical system.

    Do we currently have another non-critical system where we can install this?
    (0005755)
    Ted   
    2019-01-27 14:40   
    (Last edited: 2019-01-29 14:41)
    When I try to access https://www.cacert.org/coapnew.php I get the same error as when accessing https://test.cacert.org/coapnew.php ("File not found". The HTTP error code is 500).

    (0005757)
    Ted   
    2019-01-28 22:40   
    With some help from Wytze I managed to run the script from the shell, where it creates an empty COAP form.

    When accessed with the browser the following error can be found in apache's error.log:
    PHP Fatal error: Allowed memory size of 18874368 bytes exhausted (tried to allocate 65484 bytes) in /usr/share/tcpdf_php4/tcpdf.php on line 2367

    This sounds like a strict resource setting of php.ini. I found two php.ini files on the testserver, one at /home/cacert/etc/php5/apache2/php.ini, containing a memory_limit of 128M, and one at /home/cacert/etc/php5/cli/php.ini containing a memory_limit of -1
    Playing around a bit with those settings did not change anything, so I'll leave this to people with more proficiency in system administration...

    BTW, the TCPDF library seems to be still supported, see https://github.com/tecnickcom/TCPDF, maybe we should switch to a more current version? :-\
    (0005758)
    wytze   
    2019-01-29 11:37   
    (Last edited: 2019-01-30 07:53)
    I cannot reproduce the error by accessing https://test.cacert.org/coapnew.php, for me that produces a reasonably looking empty COAP form.

    However to tackle a PHP memory issue, you should edit /home/cacert/etc/php5/mods-available/cacert,ini, which contains a tighter setting for memory_limit (18M). I have raised to 36M, so you could give your test a new try with that. If you want to increase it even further, please do not forget to "sudo service apache2 restart" after changing the config file.

    As for a newer TCPDF version: it is trivial to switch from the -php4 version to a PHP5 version. I have done just that by editing line 233 in coapnew.php:

    --- coapnew.php.org 2018-11-27 23:02:24.311871811 +0000
    +++ coapnew.php 2019-01-29 11:26:20.661722514 +0000
    @@ -230,7 +230,7 @@
     // INSTALLATION DIRS OF PACKAGES ==============================
     // make sure packages are installed here
     define('RT','./');
    -define('TCPDF_DIR','/usr/share/tcpdf_php4');
    +define('TCPDF_DIR','/usr/share/tcpdf');
     define('UTF8',RT."/utf8/native/core.php");
     if( file_exists(RT.'/transtab.php') ) // wherever it is
         define('UTF8_ASCII', RT.'/transtab.php');

    This makes a lot of sense I think, and at the very least reduces the number of PHP5 deprecated teature warnings.

    Please also note that HTTP error 500 does not mean "File not found" as some browsers say, rather it indicates an internal server failure. An example of that is PHP running out of memory.

    (0005760)
    GuKKDevel   
    2019-02-01 15:32   
    Did someone change something in productive system?

    I gave it a try and the form was displayed.

    so only have to change address and SHA checksums.
    (0005761)
    GuKKDevel   
    2019-02-01 15:37   
    Tried it a second time and it gave an error.

    need all logs for time 2019-02-01-T16:20 to 2019-02-01-T16:40 in productive system.
    (0005763)
    wytze   
    2019-02-01 15:49   
    Providing all log data would be a serious breach of privacy. I will append the Apache2 access log and error log filtered on your IPv4 address, and with the address replaced by "YOUR-IP-ADDRESS" for privacy.
    (0005772)
    Ted   
    2019-02-14 21:35   
    I just found out that for me https://secure.test.cacert.org/coapnew.php works while https://test.cacert.org/coapnew.php gived an HTTP error.

    The main website gives the same results, the "secure" server works, the "www" server does not.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1454 [Main CAcert Website] website content major sometimes 2018-12-28 04:28 2019-02-07 22:53
    Reporter: bdmc Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Revise Password Reset page to reduce repayments
    Description: The messages and instructions on the Password Reset page ( page 5 ) are unclear regarding the proper procedures, especially regarding the "donation" required before requesting that Support assist.
    Tags: password recovery, support
    Steps To Reproduce:
    Additional Information:
    Attached Files: Support.odt (27,211 bytes) 2019-01-02 00:42
    http://bugs.cacert.org/file_download.php?file_id=463&type=bug
    Notes
    (0005716)
    bdmc   
    2018-12-28 04:43   
    Page URL: https://www.cacert.org/index.php?id=5
    (0005717)
    bdmc   
    2018-12-30 05:46   
    I have created a new version of Page 5, containing many more instructions. I have also said that asking Support for help will take a long time, although I did not specify any time estimate. The code is checked in as "bug-1454," but only consists of one file different from "release."
    (0005718)
    bdmc   
    2018-12-30 05:49   
    I have been thinking about Etienne's suggestion for some kind of instruction document to be sent to users.

    That might be triggered by the Paypal Payment "success return" message, because that is the only thing that happens before the user is expected to write an e-mail message to Support.

    Alternatively, some kind of automatic reply to e-mail messages to Support, with the Subject "Password Recovery Request," might be a way to do it.
    (0005719)
    L10N   
    2018-12-30 09:35   
    The message that the user sends with the web form probably goes to support@c.o. At the same time a copy should be sent to a new address password-reset@c.o. (or only to password-reset@c.o.).

    This address replies automatically (with 'support' as the sender) with a nice reply, which explains the procedure step by step. And in such a way that the next steps are delegated to the user.

    This would have the advantage that the user could help himself in some cases (relieves support). In other cases other people could help (e.g. local assurers). Third, we would have a clear situation with Paypal: Support answered immediately. We are now waiting for further information from the user. Paid service (as Paypal will always consider it) has been provided.
    (0005720)
    L10N   
    2018-12-30 10:01   
    Content (keyword) for an automatic reply:

    Thanks for contacting us
    Empathy for existing problem
    Promise to help
    Please document everything

    Step 1: with certificate (tried on ...)
    Step 2: Five questions (tried on ...)
    Step 3: With Assurance
    3a: If no Assurer nearby known: secretary.c.o requested for addresses from the public part of the WoT directory (requested on..., reply received on...)
    3b: Assurer 1 contacted on... (if no replay within 3 days, Assurer 2, 3, 4, 5 contacted)
    3c: Assurer met on....
    3d: C-word received from Support on....
    3e: Answered to Support answered (password reset allowed) on....
    3f: T-word from support received on: ....
    3g: Congratulations, now you can reset the password yourself. To do this, log into your account. As a provisional password, use (with no space in between): A-word T-word
    Step 4: It didn't work. Write to support, include documentation of the first 3 steps with data and assurers.
    (0005721)
    L10N   
    2019-01-02 00:42   
    What about this? (Draft, in German)
    If possible, send only part 1-2 and part 3 24hrs later.
    (0005734)
    L10N   
    2019-01-13 23:03   
    What about a new e-mail-address for password recovery that answers automated (see above); only the second contact goes to support?
    (0005735)
    bdmc   
    2019-01-14 07:11   
    I should have responded to this a few days ago, when you first proposed it.

    Yes, I like the idea of a special e-mail address for password recovery, and, as you say, perhaps don't send directly to the Support mailing list.

    We could never send mail for password recovery to the Support mailing list, or only after the user has accomplished all other tasks. Mail to the password recovery address could be forwarded to Support, or the user would be directed to the Support mailing list only at the end of the process.
    (0005736)
    L10N   
    2019-01-14 13:57   
    Until now: User forgot password
    -> read wiki, help himself OR most: -> @ to support@c.o. (not support@lists.c.o.)

    It could be this way: User forgot password
    -> read wiki, help himself OR most: -> @ to new-password-recovery-address@c.o. -> automated answer with help, step 1&2, -> after 24 hours automated answer2 with help, step 3&4, -> after 24 hours automated3 answer with help, step 5&6 (while 6 means contact support and giving the address from support)

    If this is to complicated (automated following mails):

    It could be this way: User forgot password
    -> read wiki, help himself OR most: -> @ to new-password-recovery-address@c.o. -> automated answer with help, step 1-6 (while 6 means contact support and giving the address from support)

    The phasing makes sense, as the requestor should do several things before contacting support. On the other hand, you can only send one reply with everything, because there are certainly people who have read the wiki before...

    Even if the draft is in German, it's worth looking at it, possibly with an automatic translator, to see how it's planned.
    (0005764)
    L10N   
    2019-02-07 22:53   
    I just asked the e-Mail-member of the Infrastructure Team, if an auto responder can be implemented with the available resources. Original Message in German.



    -------- Original Message --------
    Subject: Auto responder
    Date: Thu, 07 Feb 2019 22:44:19 +0000

    (...)

    Im Moment kläre ich verschiedene Möglichkeiten ab, um den Support bei
    verlorenen Passwörtern zu entlasten. Kannst du mir bitte deine ehrliche
    EInschätzung zu den folgenden Punkten abgeben, denn nicht alles, was
    technisch möglich ist, ist bei uns oder mit den verfügbaren Resourcen
    umsetzbar.

    - Ist es möglich, eine neue e-Mail-Adresse aufzusetzen, welche automatisch
    mit einem vorgegebenen Text/Mail antwortet? (Das eingehende Mail kann
    unbesehen vom Inhalt gelöscht werden, es sollte aber nachvollziehbar sein,
    wann es eintraf, von welcher Adresse und dass die automatische Antwort
    hinaus ging.)

    - Ist es möglich, eine neue e-Mail-Adresse aufzusetzen, welche *mehrmals*
    automatisch mit einem vorgegebenen Text/Mail antwortet? Also wie oben
    einmal sofort und zu vorgegeben Zeitunkten (z.B. 24h später, 36h später)
    noch Mail 2 und Mail 3 losschickt?

    Was technisch im Hintergrund abläuft, resp. ob das über Mail oder eine
    Liste läuft, spielt keine Rolle... ich möchte nur gerne wissen, ob so
    etwas mit vertretbarem Aufwand bei uns machbar/möglich ist.

    Danke für eine kurze Antwort und
    freundliche Grüsse
    (...)


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1398 [CATS.cacert.org] Translation: User Interface minor N/A 2015-08-21 21:24 2019-01-21 22:18
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: User Interface Translation to Czech
    Description: Initial language file provided by Aleš
    Tags: CATS
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005453)
    Ted   
    2015-08-21 21:53   
    The czech translation uses non ISO-8859-1 characters.

    This could be the occasion to move CATS from ISO-8859-1 to UTF-8 encoding, and I'll consider that job as part of this bug.
    (0005737)
    Ted   
    2019-01-14 22:21   
    For now, the "dangerous" characters of the translation have been replaced by HTML encodings.

    The bug branch has been merged into the testserver branch, which is now installed on the testserver, so it is now possible to select czech language for the user interface!

    Please test the translation, though I'm still evaluating if it is possible to move to UTF-8 encoding completely.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1402 [CATS.cacert.org] Translation: Content text always 2015-09-21 18:14 2019-01-13 14:54
    Reporter: alkas Platform: PC  
    Assigned To: OS: Windows  
    Priority: normal OS Version: 8  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: A comment on deployed Czech translation of the "Assurer's Challenge" test
    Description: The following is a part of the Test and Results web (generated) pages - head:
    meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
    The code should not be iso-8859-1, for this text containing non-ISO-8859-1 characters this should be Windows CP-1250, as the text is so coded. Or, possibly later, Unicode UTF-8 should be used. There is possibility in a browser to change coding, but it is of no use for common end users.
    Tags: CATS, diacritic, Translation
    Steps To Reproduce: Select test "Výzva zaručovatele (CZ)" and try to answer the questionnaire. It works OK except minor misscoding of some questions. The browser used was IE10 on Windows 8.0.
    Additional Information: If you realize to change coding after you have answered some questions, all your answers will be cleared after the change.
    Also the answers "true", "false" are English, not Czech. Possibly it will change after the Czech user interface will be deployed.
    System Description Test version of the CAcert website
    Attached Files: Výzva_zaručovatele_.txt (47,366 bytes) 2015-10-01 14:13
    http://bugs.cacert.org/file_download.php?file_id=409&type=bug
    Notes
    (0005463)
    alkas   
    2015-10-01 14:17   
    Added file with the test in Czech. The file contains no information about correct answers.
    (0005733)
    Ted   
    2019-01-13 14:53   
    (Last edited: 2019-01-13 14:54)
    The charset in Content-Type is used by the browser only to decide which characters may be sent unencoded.

    The test still supports the whole UTF charset, but non-iso-8859-1 characters are transmitted as HTML entities (for example something like & # 367;), which is perfectly OK for the browser (and the database).

    So, yes, I would prefer to have the pages being announced as using utf-8 charset, but IMHO this would only change the data management in the backend, and have no effect on the user.



    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1453 [Main CAcert Website] website content feature N/A 2018-12-09 23:24 2018-12-09 23:24
    Reporter: L10N Platform:  
    Assigned To: OS:  
    Priority: high OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: (number) paypal button(s) are shown on https://www.cacert.org/account.php?id=6&cert=xyz and in working order.
    Summary: Donation button on certificate issuing page
    Description: "Comment from Philipp; Add donation button to page where people successfully get their certificate."
    source: https://bugs.cacert.org/view.php?id=1305 (>2009)

    This page would be https://www.cacert.org/account.php?id=6&cart=xyz (cert number)
    accisble trough https://www.cacert.org/account.php?id=5 and then clicking of the e-mail-address of any issued certificate
    Tags: certificates, finances, future, html, new feature
    Steps To Reproduce:
    Additional Information: A possibilty (with german text an more than one paypal button is given in the pictures.
    Attached Files: as-it-is.png (211,424 bytes) 2018-12-09 23:24
    http://bugs.cacert.org/file_download.php?file_id=455&type=bug
    as-it-should.png (181,562 bytes) 2018-12-09 23:24
    http://bugs.cacert.org/file_download.php?file_id=456&type=bug
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1452 [Main CAcert Website] translations minor always 2018-12-06 12:17 2018-12-06 12:17
    Reporter: GuKKDevel Platform: Test CAcert Website  
    Assigned To: OS: N/A  
    Priority: normal OS Version: Test  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: changing the default language doesn't change the language for CAP-forms
    Description: beeing logged in and changing the default language doesn't change the language for CAP-forms automatically
    Tags: Translation
    Steps To Reproduce: 1. log in
    2. create CAP-form -> is in your default language
    3. change default language
    4 create CAP-form -> still the old language

    Additional Information:
    System Description Test version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1031 [Main CAcert Website] Audit issues major always 2012-04-09 03:12 2018-11-18 13:46
    Reporter: clopez Platform: Default  
    Assigned To: Patrick OS: any  
    Priority: high OS Version: any  
    Status: fix available Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Disable use of insecure function mysql_escape_string()
    Description: mysql_escape_string() is insecure

     * http://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l

    And its used on core parts like password user logging:

    $ grep -rl mysql_escape_string .
    ./includes/lib/general.php
    ./www/wot.php
    ./www/disputes.php
    ./www/verify.php
    ./www/alert_hash_collision.php
    ./www/index.php
    ./www/api/cemails.php
    ./www/api/edu.php
    ./pages/wot/12.php
    ./pages/wot/13.php
    ./pages/account/43.php
    ./pages/account/53.php
    ./pages/account/41.php
    ./pages/account/54.php
    ./pages/account/49.php
    ./tverify/index.php


    Theoretically this can be exploited to perform a SQL Injection attack.


    Please replace all mysql_escape_string() occurrences with the secure mysql_real_escape_string(

    You can do this simply executing this command on the topdir:

    grep -rl mysql_escape_string . | xargs sed -i "s/mysql_escape_string/mysql_real_escape_string/g"
    Tags:
    Steps To Reproduce:
    Additional Information:
    System Description Default profile.
    Attached Files:
    Notes
    (0005336)
    Patrick   
    2015-02-27 22:06   
    I quickly wrote the fix.

    https://github.com/DjBusti/cacert-devel/commit/c7ec6a2aa2edc6d59578d5adc685de01d4497461
    (0005684)
    Ted   
    2018-11-18 13:46   
    Note that 0001442 also replaces mysql_real_escape_string, by mysqli_real_escape_string.

    So, once bug-1442 is installed this issue is obsolete.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1194 [Main CAcert Website] misc minor have not tried 2013-07-23 22:20 2018-11-16 10:37
    Reporter: NEOatNHNG Platform:  
    Assigned To: NEOatNHNG OS: Windows  
    Priority: normal OS Version: 8  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Root certificate installer MSI package fails on Windows 8
    Description: There are some problems when using the installer package on Windows 8
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0004204)
    NEOatNHNG   
    2013-07-31 12:49   
    This seems to be a problem with the WiX toolkit used. One upstream bug report can be found on http://sourceforge.net/p/wix/bugs/1369/ but that should have been fixed since WiX 3.5 and I have used 3.7 to build the package. Seems I have to dig a little further.
    (0004483)
    NEOatNHNG   
    2013-12-11 00:53   
    http://wixtoolset.org/issues/4212/


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    156 [Main CAcert Website] source code tweak always 2006-03-05 21:42 2018-11-11 18:37
    Reporter: bluec Platform:  
    Assigned To: bluec OS:  
    Priority: low OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: magic_quotes_gpc vs. mysql_escape_string()
    Description: I see many cases where mysql_escape_string() is applied to $_REQUEST, $_POST or $_GET. As magic_quotes already escaped these strings this may lead to corruption of the userinput.

    e.g. in api/ccsr.php

            $username = mysql_escape_string($_REQUEST['username']);
            $password = mysql_escape_string($_REQUEST['password']);

    I recommend using something like quote_smart() from php.net

      function quote_smart($value)
      {
         // stripslashes, if necessary
         if (get_magic_quotes_gpc()) {
             $value = stripslashes($value);
         }

         // quote, if not numeric
         if (!is_numeric($value)) {
             $value = "'" . mysql_real_escape_string($value) . "'";
         }

         return $value;
      }


    Additionally since PHP 4.3.0 it's recommended to use mysql_real_escape_string().
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0000523)
    duane   
    2006-08-16 13:36   
    We need patches and/or source locations, this bug isn't a simple one and feeds back into the requirement to turn off globals...
    (0001010)
    dionyziz   
    2008-02-18 13:42   
    I can confirm this bug exists for the "Contact Information" field of the "My Listing" section.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1448 [Main CAcert Website] source code minor have not tried 2018-11-09 22:06 2018-11-11 18:37
    Reporter: Ted Platform:  
    Assigned To: pmoulding@cacert.org OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Convert to new error class
    Description: Reported by pmoulding:

    PHP now has an error class and conflicted with the error class already used in openbiblio

    As far as the 'error class,' it means isolating all of the error-handling code into a single area, and make calls to that code for both error handling and error reporting.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1446 [Main CAcert Website] General minor have not tried 2018-11-04 04:51 2018-11-11 18:36
    Reporter: pmoulding@cacert.org Platform: Test CAcert Website  
    Assigned To: pmoulding@cacert.org OS: N/A  
    Priority: normal OS Version: Test  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Add an autoloader as a step toward moving common code into classes
    Description: Common code should be in classes. Classes can be delivered from a single class directory. An autoloader can make the class loading automatic. The autoloader can replace the multiple occurrences of require/require_once.

    The autoloader class could also replace the prepend defined in the Apache config file, removing a roadblock for people who cannot access their Apache settings.
    Tags:
    Steps To Reproduce:
    Additional Information: Create a directory outside the Web root named class or the same directory inside the Web root with a Web server config line to limit access to the class directory.
    Create a class named cacert in a class file named cacert.php in the class directory.
    Add common code to every page to start with the loading of the cacert class.
    In the constructor of cacert, register an autoloader function named autoloader.
    Create the autoloader function to load classes from the class directory if they exist.

    The class could also set directory paths and other similar values, such as the domain name, for use on every page.
    System Description Test version of the CAcert website
    Attached Files: cacert.php (36 bytes) 2018-11-04 07:01
    http://bugs.cacert.org/file_download.php?file_id=441&type=bug
    index.php (26,831 bytes) 2018-11-04 07:01
    http://bugs.cacert.org/file_download.php?file_id=442&type=bug
    cacert.ini (221 bytes) 2018-11-04 07:03
    http://bugs.cacert.org/file_download.php?file_id=443&type=bug
    cacert-2.php (359 bytes) 2018-11-04 07:03
    http://bugs.cacert.org/file_download.php?file_id=444&type=bug
    cacert-3.php (2,264 bytes) 2018-11-04 07:03
    http://bugs.cacert.org/file_download.php?file_id=445&type=bug
    Notes
    (0005647)
    pmoulding@cacert.org   
    2018-11-04 07:01   
    I modified index.php in my test to include a cacert.php.
    (0005648)
    pmoulding@cacert.org   
    2018-11-04 07:03   
    The included cacert.php brings in a common cacert.php file from outside the Web root. There is a .ini file at the same level.
    (0005649)
    pmoulding@cacert.org   
    2018-11-04 07:03   
    The cacert.php file includes class/cacert.php
    (0005650)
    pmoulding@cacert.org   
    2018-11-04 07:07   
    This structure was copied from other projects. You might like to work on the names, locations, and what is included from the .ini. I started a separate issue for the .ini and included the .ini here only as a simple way to load the .ini. The contents of the .ini would be better discussed in the other issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1253 [Main CAcert Website] website content minor have not tried 2014-03-02 11:22 2018-11-05 10:36
    Reporter: INOPIAE Platform:  
    Assigned To: egal OS:  
    Priority: normal OS Version:  
    Status: needs review Product Version: 2014 Q1  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2015 Q2  
    Reviewed by: Ted
    Test Instructions: Cause error messages and see if the HTML is using CSS classes instead of style attributes
    Summary: Remove deprecated <font> formatting
    Description: The font tag is deprecated. Use span or div instead and possibly create a proper CSS class for it (or reuse an existing one).
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0004615)
    MartinGummi   
    2014-03-04 21:24   
    FIX https://github.com/magujs/cacert-devel/tree/bug-1253
    (0005280)
    INOPIAE   
    2015-01-27 21:03   
    I tried to long in with a wrong passphrase.
    In the html code there was no font tag around the error message.
    0> OK
    (0005281)
    Eva   
    2015-01-27 21:16   
    It would be nice to know where there can be errors to be able to test them.
    (0005306)
    Eva   
    2015-02-03 21:26   
    Benny collected the following error messages (copy from pad):
    - account_stuff: Allgemeine Account-Fehler-Meldungen
    - general_stuff: Allgemeine Fehler-Meldungen
    - includes/shutdown.php
    - (tverify-Fehler)
    - account/14: Pass Phrase der *
    - (account/40: Mailinglist Note)
    - index/0: disabled functions ...
    - index/1: Pass Phrase der *
    - (index/11: Mailinglist Note)
    - index/6: Pass Phrase der *
    - wot/1: CATS/Assurer
    - wot/5: Allgemeine Fehlerausgabe
    - wot/8: Allgemeine Fehlerausgabe
    - wot/9: Allgemeine Fehlerausgabe
    - www/gpg: GPG-Key-Fehler
    - www/wot: Allgemeine Warnungsausgabe
    (0005331)
    Eva   
    2015-02-24 22:06   
    (Last edited: 2015-03-03 22:07)
    Could test without issues:
    account/14 -> ok
    index/1 - multiple situations -> ok
    index/6 - multiple situations -> ok
    wot/5: Allgemeine Fehlerausgabe - multiple situations -> ok
    www/wot: Allgemeine Warnungsausgabe -> ok [however the error as such is wrong]
    gpg: GPG-Key-Fehler -> ok

    not testable without access to testserver:
    includes/shutdown.php
    index/0: disabled functions ...

    not testable at all, as it was removed:
    (tverify-Fehler)
    (account/40: Mailinglist Note)
    (index/11: Mailinglist Note)

    account_stuff: Allgemeine Account-Fehler-Meldungen
    - unsure what this should be, some account errors produced at index/1 -> ok?

    general_stuff: Allgemeine Fehler-Meldungen
    - unsure what this should be
    file not founds -> ok


    Could not produce the errors on the following pages - according to Felix they are deleted before they are shown
    wot/8: Allgemeine Fehlerausgabe
    wot/9: Allgemeine Fehlerausgabe

    Even as there should be a situation where the following page displayed an "error" in the tables for user who have no CATs but 100 points, those users were just not shown, so could not test this error:
    wot/1: CATS/Assurer
    edit: could see this later -> ok


    General note:
    It would be good if errors were displayed always in the same manner.

    => those that I could produce were OK - could not do complete test

    (0005351)
    BenBE   
    2015-03-03 21:26   
    added:
    - includes/account.php
    - includes/keygen.php
    - pages/advertising/1.php
    (0005352)
    INOPIAE   
    2015-03-03 21:27   
    (Last edited: 2015-03-03 21:37)
    tested:
    all wot/pages all displayed error showed an error class => ok
    index/1 and 6 all displayed error showed an error class => ok

    account/14 all displayed error showed an error class => ok

    advertising/1 displayed error showed an error class => ok
     => ok

    (0005353)
    Eva   
    2015-03-03 21:54   
    (Last edited: 2015-03-03 22:03)
    - includes/account.php is
    account/14 -> is improved compared to last test
    -> ok

    - includes/keygen.php
    -> needs IE without activeX - I do not have access to this browser at the moment, so no test from me for this
    -> not tested

    - pages/advertising/1.php is
    advertising.php?id=1 - I do not see anything there
    -> ok
    (Hint: you need to have Add Admin rights = 1 - relog after you set this flag)


    => OK, as far as I could test it (did not retest other things)

    (0005354)
    BenBE   
    2015-03-03 22:12   
    As the bugtracker currently doesn't show the patches you can find them alternatively https://github.com/CAcertOrg/cacert-devel/compare/release...bug-1253
    (0005611)
    Ted   
    2018-10-20 21:56   
    (Last edited: 2018-10-20 21:56)
    I removed a trailing semicolon in one style attribute.
    The specification at https://www.w3.org/TR/css-style-attr/#Syntax%20and%20Parsing does not allow trailing semicolons in style attributes, though AFAIK it is tolerated by most browsers.

    Since this is in fact a fallback to the previous version (and an extremly minor change) I don't think that this has to go through testing once more.

    All other changes are acceptable. One might argue the class names, since "error_indicator" is used to indicate (IMHO) warnings in some places, but insisting on a change here would be nitpicking. I'll leave this to a followup bug report if someone also feels this way.

    The review is PASSED.

    (0005612)
    Ted   
    2018-10-20 22:18   
    Hmm, this issue has already been reviewed by BenBE in 2015, and AFAIK he was a Sofrware Assessor then. So this issue might be considered as reviewed by two SAs, but there have been code changes (beyond my little one) after BenBEs first review...
    (0005654)
    Ted   
    2018-11-05 10:36   
    Dirk, can you just give a second review? It's a quite easy job, and could help to warm up for the other jobs to follow...


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1439 [Main CAcert Website] misc major always 2018-05-13 19:14 2018-11-01 21:12
    Reporter: Ted Platform:  
    Assigned To: egal OS:  
    Priority: normal OS Version:  
    Status: fix available Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Changes needed for cats_import.php for new PHP version
    Description: As noticed by Wytze, the old version of cats_import.php seems not to work with the updated OS (Debian
    Jessie). Obviously the format of the server variable SSL_CLIENT_S_DN has changed, so matching the Upload DN does not work anymore.

    Wytze has installed a hotfix to get the CATS result upload working again, but there is also another issue here when checking for the DN, the check should make sure that the complete emailAddress field is checked, the current check could probably be fooled by a certificate issued for cats@cacert.org.evildomain.com. I guess that was the intention of the reviewer's comment, but it looks like I did not get it then... :-(
    Tags:
    Steps To Reproduce:
    Additional Information: Complete mail from Wytze:

    Hi Ted,

    Since we have upgraded the CAcert chroot application environment to Debian
    Jessie on the webdb production server, it appears that import from CATS
    does not work anymore. I noticed these messages in the errorlog:

    [Sun Apr 29 06:35:01.458559 2018] [:error] [pid 17899] [client
    213.154.225.243:59570] PHP Fatal error: Unauthorized access:
    ip(213.154.225.243) server(secure.cacert.org) https(on)
    cert(emailAddress=cats@cacert.org,CN=CAcert WoT User) in
    /www/www/cats/cats_import.php on line 60

    Looking at the code, it seems that the match for the email address in
    the presented certificate is failing. Somehow with the new PHP version
    the / is no longer appearing in front of emailAddress=cats@cacert.org.

    I have made the following tentative fix:

    wytze@webdb:/home/cacert/www/www/cats$ cvs diff -u cats_import.php
    Index: cats_import.php
    ===================================================================
    RCS file: /var/lib/cvs/cacert/www/cats/cats_import.php,v
    retrieving revision 1.7
    diff -u -r1.7 cats_import.php
    --- cats_import.php 10 Jun 2012 09:10:54 -0000 1.7
    +++ cats_import.php 5 May 2018 08:11:52 -0000
    @@ -48,7 +48,7 @@
      $https == 'on' &&
      // Comment (to be romeved): better to use preg_match matching the end of the
    line (since this is on the end of the line right?)
      // Ted: Is this specified? I don't think so, therefore I'd keep stristr
    - strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
    + strlen(stristr($ssl_client_s_dn, 'emailAddress=cats@cacert.org')) > 0
     ) $access = TRUE;

     if ($access !== TRUE) {
    wytze@webdb:/home/cacert/www/www/cats$

    and this restored operation of the CATS upload operation.

    Can you provide us with an official checkin request for this change,
    so it gets recorded in the CVS tree?

    Regards,
    -- wytze
    Attached Files:
    Notes
    (0005589)
    Ted   
    2018-05-14 20:32   
    Checked in branch bug-1439 to Github. Maybe it has to be merged into the repository of git.cacert.org...
    (0005636)
    Ted   
    2018-11-01 21:10   
    Dirk, since I wrote the patch I really cannot review it myself. Can you give a try? And maybe we can try the "two developer reviews replave one Assessor review" variant?
    (0005637)
    Ted   
    2018-11-01 21:12   
    The issue also has to be tested. To test on the testerver I'll have to get the test-CATS-upload running again...


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1379 [Main CAcert Website] tweak always 2015-04-10 17:07 2018-11-01 21:00
    Reporter: rubo77 Platform: Main CAcert Website  
    Assigned To: BenBE OS: N/A  
    Priority: normal OS Version: stable  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: BenBE
    Test Instructions: see below https://bugs.cacert.org/view.php?id=1379#c5410
    Summary: add hint how to install certificate in your email client
    Description: For many users it is not obious how to install a generated cert in Thunderbird, because there is no link to get a p12 file
    Tags:
    Steps To Reproduce: click on the link to see your certificate for a certain email:

    https://secure.cacert.org/account.php?id=6&cert=[your id here]
    Additional Information: There are only three links:

        Installieren des Zertifikats in Ihrem Browser
        Download des Zertifikats im PEM-Format
        Download des Zertifikats im DER-Format

    but no explanation how to retrieve the needed p12 file for Thunderbird.

    Please add one line after

        Install the certificate into your browser


    like

        (and export it for your e-mail client afterwards)


    I edited the page in github here:

    https://github.com/CAcertOrg/cacert-devel/compare/release...rubo77:patch-1
    System Description Production version of the CAcert website
    Attached Files:
    Notes
    (0005375)
    rubo77   
    2015-04-10 17:08   
    Pull Request:

    https://github.com/CAcertOrg/cacert-devel/pull/2
    (0005379)
    Eva   
    2015-04-28 19:30   
    As there are collections about how to work with certificats in the Wiki for different browsers and with different approaches, I think it would make a lot more sense to place a link to the wiki instead then to describe it in the software.

    Additionally this would be more or less a handbook for OTHER software projects. If those other projects change how they handle certificates we would have to change our software just to maintain a handbook for them, not because the software itselfe would have to be adapted.
    (0005408)
    INOPIAE   
    2015-06-17 19:46   
    (Last edited: 2015-06-17 19:47)
    After the discussion in the software telco about the text I created a fix and push it to https://github.com/INOPIAE/CAcert/commit/5dc9fb148fb2f996bee22e45513a2953f66a2dce

    (0005410)
    INOPIAE   
    2015-06-23 19:41   
    (Last edited: 2015-06-23 20:11)
    Test instructions:
    1. If you are not logged in the menue should show a menue entry funding with a link to the current funding projects.
    2. After the creation of a client certificate the final page should show text about how to find information to install your certificate with a link to the wiki.
    3. On the same page there should be a link to the funding page
    4. The donations page should show an entry for funding with a link to the funding page.

    (0005412)
    BenBE   
    2015-06-23 20:13   
    (Last edited: 2015-06-23 20:48)
    Changes can be reviewed at:
    https://github.com/CAcertOrg/cacert-devel/compare/bug-1379

    Or in the CAcert local repository viewer:
    https://git.cacert.org/gitweb/?p=cacert-devel.git;a=commitdiff;h=be0e5e013cc61d9d17dd59b72e8287aa37eb8190
    https://git.cacert.org/gitweb/?p=cacert-devel.git;a=commitdiff;h=059e68aa69c443a5eb574b3bbac2be9dc95038e9
    https://git.cacert.org/gitweb/?p=cacert-devel.git;a=commitdiff;h=3db97e4e1734de5e04b52ad5158e5aed0915ac4e

    (0005413)
    Eva   
    2015-06-23 20:28   
    When I was not logged in, the menue contained a link to a funding page. When I clicked the link, I got the funding page opened in a new window.
    -> ok
    I logged into an account and created a new client certificate.
    When the process was finished, I got a page that contained a link to installing information for the certificate in the wiki and a another link about some funding (both contained/"hidden" in the text - I did not find it on first glance)

    When I tried the Wiki-Link, the according wiki page was opend in the SAME window.
    There was no direct possiblity to get back to the final-certificate-creation-page, using the "back"-option of the browser got me back to the start of the certificate creation process
    -> not optimal

    I completed another certificate completion process.
    When I tried the Funding-Link the funding page was opened in the SAME window.
    There was no direct possiblity to get back to the final-certificate-creation-page, using the "back"-option of the browser got me back to the start of the certificate creation process
    -> not optimal


    It would be a lot better to have both links opened in a new page as it is when one is not logged in. This is especially true as one would miss the other information about the certificate and the other link.

    This is not tragic as one can find the same information and page by going going to "view certificate" and clicking at the specific certificate that one had just created. However this may be disturbing and unintuitive for new users.

    -> ok but not optimal
    (0005414)
    BenBE   
    2015-06-23 20:46   
    The change request for opening the links in a new window has been applied to the bug branch and ported to the testserver.
    (0005415)
    Eva   
    2015-06-23 20:49   
    I created a new certificate and saw again the text with the two links.

    Both links opened a new window with the according content (see last test done by me).
    -> ok

    When not logged in there is no change to above test.
    -> ok

    => OK
    (0005419)
    rubo77   
    2015-07-13 22:45   
    Te link to the Wiki is correct. But on that wiki page there is missing a hint, that you have to import the certificate into your email client after you exported it to your local drive
    (0005635)
    Ted   
    2018-11-01 21:00   
    I just rebased the bug-1379 to the current release branch. So, we could continue work on this issue...


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1076 [CATS.cacert.org] User Interface tweak always 2012-06-25 20:52 2018-09-03 20:20
    Reporter: Lemming Platform:  
    Assigned To: OS:  
    Priority: low OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Show incorrect answers of others
    Description: If I change the value of parameter 'lp_id' in an url like this https://cats.cacert.org//index.php?site=progress&action=showIncorrectAnswers&lp_id=00000&t_id=2, I can see the questions which was incorrectly answered by others.

    Tags:
    Steps To Reproduce: *Login to CATS
    *Click 'Progress'
    *Select a challenge you've already done
    *Click on the blue question mark
    *Change value of 'lp_id' in your address bar into >= 4
    Additional Information:
    Attached Files:
    Notes
    (0005609)
    Ted   
    2018-09-03 20:20   
    Aehm... yes.

    Not really nice (because not anticipated), but is this a problem?


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1437 [IRC] cacert-votebot feature always 2018-04-06 17:21 2018-04-06 17:21
    Reporter: jandd Platform:  
    Assigned To: jandd OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: votebot should identify to nickserv
    Description: It would be useful to allow to identify votebot to nickserv to allow automatic permissions by chanserv and claim the votebot nickname
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1436 [IRC] cacert-votebot feature always 2018-04-06 09:38 2018-04-06 09:38
    Reporter: jandd Platform: irc  
    Assigned To: jandd OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: votebot should provide commands to change the vote and meeting channels
    Description: It would be a good idea to allow switching the votebot to a different meeting or vote channel via an IRC command. Currently a configuration change by an admin on ircserver is necessary.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1435 [IRC] cacert-votebot feature always 2018-04-06 09:36 2018-04-06 09:36
    Reporter: jandd Platform: irc  
    Assigned To: jandd OS:  
    Priority: low OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: votebot should (optionally) restrict starting votes to a subset of users
    Description: It would be good if votebot would only accept vote (and maybe other commands in the future) from specific users only. It could either have an own ACL or use some set of channel permissions from the vote channel (i.e. voice or op) to base its permissions on.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1433 [Main CAcert Website] website content minor always 2018-04-04 09:43 2018-04-04 09:43
    Reporter: thiloh Platform: Main CAcert Website  
    Assigned To: OS: N/A  
    Priority: normal OS Version: stable  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Login with certificate not possible
    Description: The login with certificate is not possible because the server secure.cacert.org doesn't provide a valid certificate.
    All certificates are imported into (various) browser (root, level3 and personal).

    Similar behavior on Firefox, Chrome and Safari on Mac
    Tags: login error
    Steps To Reproduce:
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1421 [Main CAcert Website] website content major have not tried 2017-02-15 07:40 2018-02-10 10:11
    Reporter: oitconz Platform: Linux  
    Assigned To: OS: Linux  
    Priority: normal OS Version: Mint Latest  
    Status: new Product Version: 2015 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Certificate error logging in
    Description: The main site comes up with a cert error - using an older outdated version of https to connect to the site.
    Tags: login error
    Steps To Reproduce: go to main site using firefox.
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    Notes
    (0005573)
    L10N   
    2018-01-08 22:32   
    Have the root certificates installed in your browser?

    You may find the root certificates here: https://www.cacert.org/?id=3
    Further readings are here: https://wiki.cacert.org/FAQ/BrowserClients


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1202 [Main CAcert Website] certificate issuing major N/A 2013-08-16 16:03 2018-02-10 10:09
    Reporter: equinox Platform: all  
    Assigned To: OS: all  
    Priority: normal OS Version: all  
    Status: confirmed Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Support for Elliptic Curve Certificates
    Description: As some experts are talking about the possibility that RSA and classic DH may be unsure to use in 4 to 5 years [1][2], it might be nice to have support for ECDSA certificates. I tried to sign a CSR using ECDSA some days ago but the system never returned a certificate... i assume it got ignored because ECC is not support by now.

    [1] .. http://fr.arxiv.org/abs/1306.4244
    [2] .. http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/
    Tags: future, new feature
    Steps To Reproduce:
    Additional Information: same as 0001238;
    have same experience using elliptic keys that are fine for Mozilla and others.
    My signing request, on basis of key alg. secp384r1, still worked 6 months ago. But now asking for renewal the check_weak_key.php says that the key algorithm is not recognized and so signing done because of security. This is the default after only some RSA tests.
    Now have to redo all security of the webserver because cacert doesn't know DH and elliptic keys anymore.
    Requests were generated with latest openssl. Please restore this functionality!
    Attached Files:
    Notes
    (0004246)
    ott   
    2013-08-24 12:01   
    I can confirm this. I remember from a short conversation with BenBE about this that OpenSSL just has to be upgraded. A quick look at cacert-devel a82f507306a9eba8a9f5dff82d2091dbd29edf71 confirms this.
    (0005031)
    ckujau   
    2014-09-25 22:35   
    Hm, I don't understand - https://github.com/CAcertOrg/cacert-devel/commit/a82f507306a9eba8a9f5dff82d2091dbd29edf71 updates some text files...?

    Also, when I try to get a EC CSR signed, it's not "not returning a certificate", but it's printing out an error here, without much detail though:

    1) openssl ecparam -name prime256v1 -out foo_ecparam.pem
    2) openssl req -newkey ec:foo_ecparam.pem -sha512 -out foo_ec.csr \
              -keyout foo_ec.key -nodes \
              -subj "/C=AB/ST=Foo/L=Bar/O=Baz/OU=foo.net/CN=foo.net/emailAddress=admin@foo.net"
    3) Go to https://www.cacert.org/account.php?id=10 and paste foo_ec.csr gives:

       The keys you supplied use an unrecognized algorithm.
       For security reasons these keys can not be signed by CAcert.
    (0005464)
    klondike   
    2015-10-08 21:10   
    This still seems to be an issue. Are there any plans for this?
    (0005493)
    My1   
    2016-01-19 00:04   
    I cant do it as well. trying with p521 key for tinfoil hat reasons (replacing a 16k rsa key)
    (0005494)
    BenBE   
    2016-02-02 20:20   
    There are plans for support for this.

    The comment in https://github.com/CAcertOrg/cacert-devel/blob/release/includes/lib/check_weak_key.php#L205 is related to DSA.

    For ECDSA (ECC) to work, the appropriate checks need to be implemented to verify the provided ECDSA key is sane. These checks are currently still completely missing. Providing a patch for these will help greatly.
    (0005544)
    travm1   
    2017-04-07 22:10   
    Interesting read about ECC
    https://www.everipedia.com/Elliptic_curve_cryptography/
    (0005558)
    thalamus   
    2017-10-16 12:48   
    awesome, thanks travm1

    http://www.thalamus.co


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1429 [Main CAcert Website] translations text have not tried 2017-11-29 17:18 2017-12-19 14:03
    Reporter: marian Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: german translation of verify page is not understandable
    Description: the German translation of the verify.php?type=domain ... page is completely wrong.

    it reads "bitte überprüfen Sie diese Domain". If I hadn't done this before and could guess that "verify" is meant I hadn't understood it.

    please change it to "bestätigen" (also on the confirmation page that follows), which is the correct translation in this case.

    (and please introduce a translation process that includes testing the ui with the generated strings, then this would have been noticed)
    Tags: Translation
    Steps To Reproduce:
    Additional Information:
    Attached Files: verify.png (11,896 bytes) 2017-11-29 17:18
    http://bugs.cacert.org/file_download.php?file_id=421&type=bug
    Notes
    (0005568)
    L10N   
    2017-12-19 14:02   
    I changed the translation in line 150 and 152 ("Ja, ...." and "Domain....")


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1344 [Wiki] organisational section text always 2014-12-13 14:11 2017-11-08 15:21
    Reporter: HansMaulwurf Platform: Main CAcert Website  
    Assigned To: OS: N/A  
    Priority: high OS Version: stable  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Wrong install instruction for the root cert for Red Hat Linux.
    Description: On the page http://wiki.cacert.org/FAQ/ImportRootCert#Linux
    is written:
    Red Hat 5+: wget -O - http://www.cacert.org/certs/root.txt >> /etc/pki/tls/certs/ca-bundle.crt (this will be overridden by updated openssl RPMs so it is likely not the best method)

    Red Hat 4: Change the above location of ca-bundle.crt to /usr/share/ssl/certs/ca-bundle.crt

    Fedora: Copy the certificate to /etc/pki/ca-trust/source/anchors/ then run update-ca-trust extract

    But this is wrong, because
    - RHEL 4 is deprecated an only supported under very special terms.
    - for RHEL generation 7 the same instruction as for Fedora shut be used.
    - The correct call for Fedora is "update-ca-trust" instant "update-ca-trust extract".
    Tags: linux, Redhat, tutorial, Wiki
    Steps To Reproduce:
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    Notes
    (0005178)
    L10N   
    2014-12-15 13:14   
    I put a warning on that Wiki page and linked to this bug.
    (0005192)
    L10N   
    2014-12-18 21:30   
    Maybe the information from this document [1] could be helpfull?

    [1] http://www.trustis.com/healthcare/support/Redhatlinuxguide.pdf
    (0005194)
    HansMaulwurf   
    2014-12-18 21:43   
    No, because all pathses for the cert files description in it, are wrong.
    On Red Hat based systems certificates for will live at /etc/pki/tls/


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    666 [bugs.cacert.org] misc minor always 2009-01-03 20:22 2017-11-08 15:19
    Reporter: ph3 Platform: Main CAcert Website  
    Assigned To: OS: N/A  
    Priority: normal OS Version: stable  
    Status: new Product Version: production  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Mantis allows login without SSL/TLS
    Description: Mantis allows to login without SSL/TLS. You need to manually add the s for SSL/TLS into the location bar of your browser.
    Tags:
    Steps To Reproduce:
    Additional Information: Possible fix:

    check for protocol (HTTP/HTTPS) and redirect to https://$HOST/$SCRIPT?$QUERY_STRING in case if HTTP. As it will mainly redirect on the login page this should not break something.
    System Description Production version of the CAcert website
    Attached Files: rfc3330.txt (16,200 bytes) 2014-10-04 09:53
    http://bugs.cacert.org/file_download.php?file_id=382&type=bug
    Notes
    (0001265)
    Sourcerer   
    2009-01-04 19:35   
    The possibility to login without HTTPS is a feature, not a bug. (So that people that have troubles with importing the root certificate can also file bugs)
    The default login with HTTP is a bug, we would prefer to default to HTTPS login.
    Could you evaluate, whether we can configure that in Mantis, and if not to file a feature request for that feature on http://www.mantisbt.org/
    (0005543)
    bjobjo   
    2017-04-04 16:29   
    Hi,

    The confirmation mail when you register in Mantis redirects you to the non-secure access where you have to define your password.

    Please change all links to https.

    I don't agree for "possibility to login without HTTPS is a feature",
    this is probably a very specific case, you can still offer a redirect page that displays information and a link to a form specific for this kind of problems and a link to the secure site. A FAQ about "cannot access the https site" can also be present on that form to help the user and avoid ticket if he did not import the root certificate (which is not anymore sufficient as firefox is refusing MD5/RSA signed certificates in the full chain as stated in ticket 0001305).

    So please, secure all our sites and make it state of the art.

    Thanks a lot for the hard work!


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    972 [CATS.cacert.org] Translation: Content minor N/A 2011-08-22 21:18 2017-10-03 12:14
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Translation of Assurer Challenge to Dutch
    Description: This is to keep track of the current status of the translation.
    Tags: CATS, Translation
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0002318)
    Ted   
    2011-08-22 22:10   
    Current status:

    Translation about 60% completed
    (0005181)
    L10N   
    2014-12-15 13:32   
    Is there some progress? Works someone on it?
    (0005557)
    L10N   
    2017-10-03 12:14   
    > Translation about 60% completed

    Where are this translations? On the pootle, dutch is translated for only 1%.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    974 [CATS.cacert.org] Translation: Content minor N/A 2011-08-22 21:20 2017-08-20 13:47
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Translation of Assurer Challenge to Spanish
    Description: This is to keep track of the current status of the translation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0002320)
    Ted   
    2011-08-22 22:13   
    Current status:

    New test created, translation not started
    (0003715)
    chema.alonso   
    2013-01-22 19:21   
    I'd like to translate the Assurer Challenge to Spanish. AFAIK I have to tell the number of my client certificate in order to enable access to do the job.

    Is that Ok?

    TIA
    (0005552)
    L10N   
    2017-08-16 20:36   
    @chema.alonso: Yes, please, do it (if not allready started)!
    (0005553)
    chema.alonso   
    2017-08-18 14:11   
    Unfortunatelly one year ago or so I lost access to my CAcert account. I tried to get it back contacting support with no success, so I decided to quit as assurer and translator.
    (0005554)
    L10N   
    2017-08-20 13:47   
    @chema.alonso: I am sorry about that. In fact CAcert had some trouble last spring/summer with a lack of volunteers (not only) for support. This was really a bad time to have troubles :-( But now, support works well again.

    Yo comienzo como usted en 2013 en CAcert. Con su ayuda y la ayuda de algunos otros, traeremos adelante CAcert. Veo la ingeniería de soporte esta semana. Por favor escriba un e-mail a secretary AT cacert DOT org Habrá una solución en muy poco tiempo. (Sorry for poor spanish)

    I see the support engineering this week. please write an e-mail to the secretary AT cacert DOT org There will be a solution in very short time.


    http://wiki.cacert.org/FAQ/LostPasswordOrAccount


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1425 [Main CAcert Website] certificate issuing minor always 2017-04-11 14:02 2017-04-11 14:02
    Reporter: stargrave Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: SHA384 hash specifying not working
    Description: I am trying to issue certificate to myself and set in Advanced options that SHA384 should be used. But issued certificate has SHA512 signature. SHA512 and SHA256 specifying works as expected.
    Tags:
    Steps To Reproduce: Create CSR. Login to CAcert.org. Click to new server certificate. Paste CSR in the form and select SHA384. Click submit, submit. Take issued certificate and see its signatureAlgorithm.
    Additional Information: POST data query shows that sha384 information is sent: description=&CSR=BASE64(CSR)&hash_alg=sha384&CCA=on&process=Submit&oldid=10
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1278 [Main CAcert Website] GPG/PGP minor have not tried 2014-05-13 20:05 2017-04-10 02:59
    Reporter: hanno Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: CAcert PGP key is using outdated and insecure crypto algorithms (DSA/1024 bit)
    Description: The CAcert PGP signing key is currently a 1024 bit DSA key. 1024 Bit discrete logarithm based algorithms are not considered secure these days and DSA itself is a very questionable algorithm, because it easily can completely break when used with bad randomness.

    I suggest CAcert creates a new PGP signing key with 4096 bit RSA and defaults to SHA512-signatures (both for key self-signatures and for signing other keys).
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005545)
    arsantiqua   
    2017-04-10 02:59   
    Current (52.0.2 64 bit) firefox flags this with:

    www.cacert.org uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

    with the following:

    https://www.cacert.org/index.php?id=4

    The certificate was signed using a signature algorithm that is disabled because it is not secure.

    HTTP Strict Transport Security: false
    HTTP Public Key Pinning: false

    Certificate chain:

    -----BEGIN CERTIFICATE-----
    MIIHbDCCBVSgAwIBAgIDApAnMA0GCSqGSIb3DQEBCwUAMFQxFDASBgNVBAoTC0NB
    Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
    BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTYwNDIxMTA0NDMyWhcNMTgwNDIx
    MTA0NDMyWjBbMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
    eWRuZXkxFDASBgNVBAoTC0NBY2VydCBJbmMuMRcwFQYDVQQDEw53d3cuY2FjZXJ0
    Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwriThHegmvvYFB
    2X281mJ5d+F2AEEZwaBSSSWoq75BYRJ5l5ke8QHGcx3c8CZDPlPjopyYCIy8LRhA
    75IfVhRnR5imikVG4Gsvp57vAzwrxBtiAh8IqZKSlok30IaZ062G7uPNXaxwNZGY
    c4CcAD2MRmTAxBbVan+wa+h/NTwTa/OfZwjaVdU4mDFJpegGl6tqm10+AdZW7bvP
    Hbg5GPnn8WON0UzR5avrGDkU8013ruFH/Y0G/FlqnAsFAkf20rFYDLRLXzb29Olh
    f6arkF+HOrsnanfyqjwyv5sgvZva3iXmEo0a7NhK2dGM1pO9Pd2AqkvjGARMI0ud
    WrQkDThvoGEV2BvgBqQpF8WYBhlxMr7ToG4y2Dxc+wXgXSy6zPIgZqVwq9OZ4qit
    TeXIiwWQp6nAYlJcPWuDNX2EoTi0FUKn2xCzbDr+i2ZtfZ6NYytxUq+ZwSOZ/o18
    AXnMk82YO95WUFzFbTXrYKF6Sae8caHO92ptjl2tVxLPPRzsIDBMEh2/97fp1jxO
    RjgwWMnBISwznbgIlG9/lY7/DaPHCYlAnIfsqvAasH3SRm5XedmGW4kyOD7D1Cpo
    6vTSk4gs3MyaNvGt9wYATuunqwRjJVX83L/JfrDfxZ8CCb1s+JyYgTPMpbtyvZbN
    1DHYLVfpFL5Nwtx3sZzuMteflQ7NAgMBAAGjggI+MIICOjAMBgNVHRMBAf8EAjAA
    MA4GA1UdDwEB/wQEAwIDqDA0BgNVHSUELTArBggrBgEFBQcDAgYIKwYBBQUHAwEG
    CWCGSAGG+EIEAQYKKwYBBAGCNwoDAzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUH
    MAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMDgGA1UdHwQxMC8wLaAroCmGJ2h0
    dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tlLmNybDCCAXMGA1UdEQSC
    AWowggFmgg53d3cuY2FjZXJ0Lm9yZ6AcBggrBgEFBQcIBaAQDA53d3cuY2FjZXJ0
    Lm9yZ4IRc2VjdXJlLmNhY2VydC5vcmegHwYIKwYBBQUHCAWgEwwRc2VjdXJlLmNh
    Y2VydC5vcmeCEnd3d21haWwuY2FjZXJ0Lm9yZ6AgBggrBgEFBQcIBaAUDBJ3d3dt
    YWlsLmNhY2VydC5vcmeCCmNhY2VydC5vcmegGAYIKwYBBQUHCAWgDAwKY2FjZXJ0
    Lm9yZ4IOd3d3LmNhY2VydC5uZXSgHAYIKwYBBQUHCAWgEAwOd3d3LmNhY2VydC5u
    ZXSCCmNhY2VydC5uZXSgGAYIKwYBBQUHCAWgDAwKY2FjZXJ0Lm5ldIIOd3d3LmNh
    Y2VydC5jb22gHAYIKwYBBQUHCAWgEAwOd3d3LmNhY2VydC5jb22CCmNhY2VydC5j
    b22gGAYIKwYBBQUHCAWgDAwKY2FjZXJ0LmNvbTANBgkqhkiG9w0BAQsFAAOCAgEA
    XL8FnUS7W++IWGIOz6fMVM5ogZ5NU6ahhJbH0V8A6nT1Gyis6rYFbr4U3skd0s+H
    RykGtoGtP0dqQGMWvAoUdUpLJSIWGP9GhtALf6+9+C5xkN1j52sRfyil2N43of3N
    DWRr+A0ax1eh5GFqK8QUTQ7NoNjlUBKBhoh4ZmruXcDUxNigzMucbgAjf8wjZKtR
    qq6UwNKIOxEw3MD3Pb+EMSxFNuYrwXN3U1ooB2yYJgDk0He6yt6VHIv+17p3xJz+
    x039WT707FpzJN7kWMACODrVQ+OR+4X6cqCXgXX42D0itWpMEImRpxd5c5cz3Ig1
    CDZMbRKDzv/cfHtJr2ynNSS2YE5uZVfsAgcb2Ojel20NTq+82kJz428RRfdnGAyK
    OFio3jsO3H31+r7EX4VwQ5UinW2R+eJa/Y7nk5SHeY4eKIKNjpuV7DkACECJMBk6
    NlOfHRFztJZOD/WVx9SxdtGlX3cvphcaJYu64JBnAEkmW0HcV4hsfq9e/rshRhcw
    9myA4xXOm9urimuD6WngdvId6Q8Vz9f7BAwHpGQ4NqvUUeH2rXnjjdJz6C4DJ+sp
    7kIhmrncsjnLXEtiSLn93aUDKOzdwrLsUgo96txhnq1CEPx8z/KRL1awUVkUay10
    luJ3B+FKLh1avFSX3gbUqZm1ZrmeWZf5IT3EjB9K0wk=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
    b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
    Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
    dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
    MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
    Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
    AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
    iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
    aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
    jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
    pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
    FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
    XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
    oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
    R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
    rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
    LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
    BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
    gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
    BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
    A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
    c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
    AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
    BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
    MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
    Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
    ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
    b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
    QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
    7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
    Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
    D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
    VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
    lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
    Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
    hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
    0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
    ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
    d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
    4GGSt/M3mMS+lqO3ig==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
    IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
    IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
    Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
    BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
    MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
    ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
    CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
    8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
    zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
    fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
    w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
    G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
    epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
    laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
    QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
    fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
    YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
    ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
    gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
    MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
    IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
    dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
    czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
    dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
    aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
    AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
    b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
    ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
    nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
    18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
    gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
    Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
    sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
    SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
    CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
    GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
    zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
    omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
    -----END CERTIFICATE-----


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1424 [test.cacert.org] test.cacert.org minor always 2017-03-29 06:05 2017-03-29 06:05
    Reporter: TomA32123 Platform: Default  
    Assigned To: OS: any  
    Priority: normal OS Version: any  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: HP Printer Certificate Error
    Description: When I try to add the certificate to my HP printer to enable the scan to email function I receive the following error:

    The certificate is not RFC 5280 compliant.
    Tags:
    Steps To Reproduce:
    Additional Information:
    System Description Default profile.
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1422 [Main CAcert Website] website content major have not tried 2017-02-15 07:43 2017-02-15 07:43
    Reporter: oitconz Platform: Linux  
    Assigned To: OS: Linux  
    Priority: normal OS Version: Mint Latest  
    Status: new Product Version: 2015 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Failure to confirm email addresses
    Description: Putting my email addresses in returned failures for two of my addresses,which work as I am sending and receiving emails all day on them.

    hollis.org.nz, outsourcedit.co.nz

    One is a linux server, one is a smartermail server. both handle encryption nad passed with an A certification from SSL checkers etc.
    Tags:
    Steps To Reproduce: email me shane@outsourcedit.co.nz
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1419 [Main CAcert Website] website content minor always 2016-12-19 12:23 2016-12-19 12:23
    Reporter: Ludovic Platform: Main CAcert Website  
    Assigned To: OS: N/A  
    Priority: normal OS Version: stable  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Issue with displaying "é" as é in "Client Certificates - View all certificates"
    Description: For URL https://www.cacert.org/account.php?id=5
    In the column Revoked the text "Not Revoked" is displayed "Non révoqué" instead of 'Non révoqué" for French translation.

    The HTML source code is: "<td class="DataTD">Non r&eacute;voqu&eacute;</td>"
    But should be "<td class="DataTD">Non révoqué</td>"

    The "é" is correctly converted to "é" but then the "&" is translated to "&".
    Tags:
    Steps To Reproduce: Switch to French in the default language (URL https://www.cacert.org/account.php?id=41)
    Then display the list of user certificats (URL https://www.cacert.org/account.php?id=5)
    Additional Information: The HTML page uses content="text/html; charset=utf-8" so it should be possible to directly use the "é" in utf-8.
    System Description Production version of the CAcert website
    Attached Files: cacert.png (210,963 bytes) 2016-12-19 12:23
    http://bugs.cacert.org/file_download.php?file_id=419&type=bug
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1418 [CATS.cacert.org] Content (Questions and Answers) minor always 2016-10-09 12:57 2016-10-13 19:13
    Reporter: bortzmeyer Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: solved? Product Version: production  
    Product Build: Resolution: no change required  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: "New Hebrides" no longer exist
    Description: About passports, CATS mention a passport for "New hebrides". This country is called Vanuatu since its independence (and their passport is not on http://www.worldpassports.org/ ..)
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005528)
    Ted   
    2016-10-13 19:13   
    This is intentional. You found the easter egg! :-)

    Please have a look at https://en.wikipedia.org/wiki/Camouflage_passport and https://wiki.cacert.org/AcceptableDocuments#Passports


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1238 [Main CAcert Website] certificate issuing minor have not tried 2014-01-09 09:35 2016-09-17 13:02
    Reporter: INOPIAE Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: confirmed Product Version: 2014 Q1  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2014 Q3  
    Reviewed by:
    Test Instructions:
    Summary: Problems with signing server certs with elliptic curve crypto
    Description: Take from ticket s20140108.81
    User tries to create a sever cert with ec which is in pending mode for more than 24 hours.
    The CSR shows the following:
     Subject Public Key Info:
       Public Key Algorithm: id-ecPublicKey
       EC Public Key:
       pub: ....
       ASN1 OID: prime256v1
       Attributes:
             a0:00
       Signature Algorithm: ecdsa-with-SHA256
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    223 [Main CAcert Website] account administration feature always 2006-05-01 07:57 2016-08-28 08:44
    Reporter: Sourcerer Platform:  
    Assigned To: OS:  
    Priority: low OS Version:  
    Status: confirmed Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Auditor Interface
    Description: We need an auditor interface in the web-interface, both for internal and external auditors.
    The auditor should have the function of running predefined queries against the database, and see the result of them.
    Needed functionality:
    * List of all accounts with the Admin Bit
    * List of all accounts with non-[A-Za-z0-9] characters in any fields
    * List of all certificate with Punicode in it
    * List of all Orga-Assurers, together with their country
    * List of all Location-DB-Admins, together with their country
    * List of all countries, and the amount of assurers, users (certificates) in that country
    ...
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0000214)
    bluec   
    2006-05-01 08:00   
    This could also be extended to a Apache logfile analysis. There have been exploits in the CAcert source that could only detected by looking at the Apache logfiles.

    e.g. http://bugs.cacert.org/view.php?id=152
    (0000215)
    Sourcerer   
    2006-05-01 08:00   
    * List of all accounts that have >= 50 points, and have been assured by less than 2 people
    * List of all accounts that have >= 100 points, and have been assured by less then 3 people
    (0005527)
    Eva   
    2016-08-28 08:44   
    Is there an Arbitration ruling to provide this kind of access? Else this would neither be covered by Security Policy nor by Privacy Policy.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    859 [Main CAcert Website] account administration feature N/A 2010-09-04 06:57 2016-08-28 08:41
    Reporter: JSteijlen Platform:  
    Assigned To: NEOatNHNG OS:  
    Priority: high OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: NEOatNHNG
    Test Instructions:
    Summary: feature request: show activity on an account in the admin interface.
    Description: Sometimes it's hard to judge if an account is still in use.
    quite often there are no recent assurance made/received.

    showing the date of last activity (any kind, the kind itself is not interesting) can aid support in judging whether an account is still active, or languishing into bit-rot.
    kinds of activity to update this feature could be assurances (of both variations) certificate creation, or even last login.


    account creation date would also be nice.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files: 43_859_110826.php (18,680 bytes) 2011-08-26 10:22
    http://bugs.cacert.org/file_download.php?file_id=203&type=bug
    43-859-diff-20110826.diff (2,048 bytes) 2011-08-26 10:54
    http://bugs.cacert.org/file_download.php?file_id=209&type=bug
    Notes
    (0002327)
    Uli60   
    2011-08-23 03:03   
    effected date fields:
    table users.created "2010-04-15 14:05:45"
    table users.modified "2011-08-23 03:21:01" (last login)
    table notary.date "04.08.2010" The Assurance Date the assurer added
    table notary.when "2010-08-04 13:38:26" the date and time assurance was entered
                                            into the system
    other tables like emailcerts displays the creation date and modification date/time
    activity in such areas are also shown by table users.modified
    (0002329)
    Uli60   
    2011-08-23 13:08   
    (Last edited: 2011-08-23 13:09)
    > account creation date would also be nice.
    account created:
     "this month" | "this year" | "after Apr 2009" | "before Apr 2009"
    is enough debug info to display in case of problems with user account.
     "this month" | "this year" gives info that the account was a newly created account
    "after Nov 2007" | "before Nov 2007" gives enough info if CCA acceptance potentialy exist or not. Apr (or was it June 2009 ?!?) the accept CCA checkbox was set mandatory

    so a one liner info below the user infos can be given w/o disclose too much PII infos, but there are helpful in support requests
    see also bug 0000975

    (0002353)
    Uli60   
    2011-08-26 10:23   
    fix seperated in 43_859_110826.php
    code based on cacert
    commit ce4bfbaf0c2babb5bba2568d3b8712e1615aa651
    (0002785)
    NEOatNHNG   
    2012-01-23 20:13   
    I have reviewed Uli's patch, modified it slightly and added it to the test server. Please review and test the changes.
    (0002789)
    Uli60   
    2012-01-24 04:48   
    (Last edited: 2012-01-24 04:55)
    login with admin account, Sysadmin - find user

    search user 1, account created and used today
    test.dedispute@o...
    Account Activity
    Account created: this month => OK
    Last activity: this month => OK

    search user 2, (my own admin account), created by the time, testserver started
    ulrich@c.o
    Account Activity
    Account created: between June 2009 and this year => OK
    Last activity: this month => OK

    search user 3: one of the new created accounts for tests within this year
    bug975.user1@w...
    Account Activity
    Account created: between June 2009 and this year => OK
    Last activity: within last 12 months => OK

    overall result => OK

    One sidenote:
    regarding "minimal" assurer errors regarding DoB, the absolute account creation date might be useful -> eg account created effective date 2012-01-24, effective DoB: 1970-01-20, DoB in online account: 1970-01-24
    -or-
    created account 2012-01-19, effective DoB 1970-01-13, DoB in online account 1970-01-19
    This error can be seen as "using todays day number" while creating the account

    (0002797)
    NEOatNHNG   
    2012-01-26 20:25   
    I have just implemented the changes discussed in the last meeting:
    - The creation date is now shown exactly
    - The section is now hidden by default. If you need to see it you have to click on the heading.

    Please retest and review
    (0002816)
    INOPIAE   
    2012-01-31 22:01   
    I tested different accounts.
    Each account viewed in SE console first shows only account activity as headline without data- => ok
    Clicking onto the account shows the correct values. => ok
    =>ok
    (0002817)
    MartinGummi   
    2012-01-31 22:06   
    login with my admin account, Sysadmin - find user

    test@sh23.tld
    Account created: 2010-08-24 22:06:06
    Last activity: before 2 years

    lll@sh23.tld
    Account created: 2010-10-19 18:47:20
    Last activity: this month

    admin-bug827@sh23.tld
    Account created: 2011-02-21 23:22:46
    Last activity: within last 12 months
    (0002819)
    NEOatNHNG   
    2012-02-01 01:49   
    There was a request to show whether the account was accessed within the last 30 days and not whether we are in the same month (which was what the supplied patch did). I have implemented that on the test system.

    Please retest and review.

    I also discovered that the last accessed date is actually only set when logging in via password, not if logging via client cert. Is this desirable?
    (0002820)
    JensK   
    2012-02-04 10:19   
    Sysadmin->Find user
    Looked up a test account I haven't used in a while

    Account activity shows as headline only => OK
    Creation date is correct => OK
    Last Activity is "within the last 6 months" => OK I guess (what granularity is the time supposed to have?)
    Logged into the account, then rechecked => Last activity is now "within the last month" => OK
    (0002824)
    INOPIAE   
    2012-02-07 22:08   
    The last login with certifcate should also be processed.

    The activity should show the last acitivity on the account either password login or cert login depending what was the latest.
    (0002827)
    JensK   
    2012-02-08 13:28   
    Currently none of my test accounts have valid certificates. If I log in to create one, that will reset the last activity to "within the last month", so I can't tell if a subsequent certificate login updates the last activity properly.
    (0002875)
    NEOatNHNG   
    2012-03-13 21:55   
    Modified date is not suitable for account activity as it is not set on certificate login.
    (0005526)
    Eva   
    2016-08-28 08:41   
    In what kind of situation would something like this be useful?


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1259 [Main CAcert Website] account administration minor have not tried 2014-03-16 11:44 2016-08-14 17:44
    Reporter: INOPIAE Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Database cleanup regarding deleted accounts
    Description: This bug is a split of bug 1223 regarding the database cleanup for deleted accounts.
    Tags:
    Steps To Reproduce:
    Additional Information: Orgininal bug text:
    In the support case [s20131125.67] a member asked for a deleted account. He could not access it, and searching in the SE console I could not find it either. However if he used the 'Lost password' link on the login website, entered the email address and correct birthdate, he got to step 2 of password recovery. That means, here his account showed up.

    This looked strange to me, since normally as SE I can search even for deleted email addresses and I find all accounts this email address belongs to or previously belonged. But in this case I didn't find it.

    So I asked Wytze and he told me: "This email address can be found in the table `email`, but with the field `deleted`. It can also be found in the table
    `users`, again with `deleted`."

    It thus showed up that the handling of the `deleted` field in the software is rather inconsistent. I suggest that this handling should be straightened in the way that an SE always can see all email addresses, domains and accounts that ever existed. If there is more than one account, in the list of the accounts to select, a flag should be added to show if it is an active account, email address or domain or if it is deleted.
    Attached Files:
    Notes
    (0005525)
    Eva   
    2016-08-14 17:44   
    Arbitrator entry:
    I am the Arbitrator of a20140316.1 - "database cleanup regarding deleted accounts" [1]. Piet Starreveld is the Case Manager.

    That case is related to bug 0001259.

    I hereby give the following preliminary ruling:

    A patch for bug 1259 may not be set productive until the arbitration case a20140316.1 is decided or there is a ruling in that case that allows to set such a patch productive.

    Eva Stöwe - 2016-08-14

    [1] https://wiki.cacert.org/Arbitrations/a20140316.1


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1416 [Main CAcert Website] certificate issuing major unable to reproduce 2016-07-28 17:56 2016-07-28 17:56
    Reporter: kdb119 Platform: Mac  
    Assigned To: OS: OS X  
    Priority: urgent OS Version: stable  
    Status: new Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Not receiving account confirmation e-mail for account creation
    Description: Not receiving account confirmation e-mail. It appears that your SPF MX records do not exist or are incorrectly configured resulting in my ISP rejecting your mail. However, it is impossible for me to check since I don't receive any notification/mail!
    Tags:
    Steps To Reproduce:
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1415 [Main CAcert Website] account administration minor always 2016-06-29 21:13 2016-06-29 21:13
    Reporter: Eva Platform: Main CAcert Website  
    Assigned To: OS: N/A  
    Priority: normal OS Version: stable  
    Status: new Product Version: 2015 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: Try to do an email dispute on a deleted email. There should not be a notice send to support or one of the members as if the email would be part of the old account. For blocked and unblocked accounts. Aly verify dispute none-deleted email addresses
    Summary: treat deleted emails like free emails in email disputes functionality
    Description: The email dispute does not destinguish if emails of locked accounts are marked as deleted or not. This leads to a notice to support that someone tried to dispute a dispute from a blocked account and possibly other activites.

    As soon as an email is deleted in an account it can be added to another account. So the email dispute functionality should come to the same conclusion, that there is no need for an email dispute on that email. Regardless if the original account is blocked or not.

    A deleted email address should be treated like a free email address in any situation. (Which is the case everywhere else.)

    Please add a check for deletion of the email address to at least that part of the email dispute functionality.
    Tags:
    Steps To Reproduce: 1. Add an email to an account.
    2. Delete that email and block that account. Alternatively just delete the account (which will do both).
    3. dispute that email from another account.
    Additional Information: This bug was added based on a ruling in arbitration case a20160621.1. For details consult the according case file:
    https://wiki.cacert.org/Arbitrations/a20160621.1

    It could be sensible to check domain disputs for comparable issues.
    System Description Production version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    971 [CATS.cacert.org] Translation: User Interface minor N/A 2011-08-22 21:16 2016-05-03 11:51
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: User Interface Translation to Spanish
    Description: See language file https://svn.cacert.org/CAcert/Education/CATS/lang/spanish.php
    Tags: CATS, Translation
    Steps To Reproduce:
    Additional Information:
    Attached Files: spanish_php_revision.diff (19,785 bytes) 2013-01-22 19:09
    http://bugs.cacert.org/file_download.php?file_id=315&type=bug
    spanish_php_revision_reviewed.diff (19,822 bytes) 2016-05-03 11:50
    http://bugs.cacert.org/file_download.php?file_id=418&type=bug
    Notes
    (0002317)
    Ted   
    2011-08-22 22:05   
    Translation done by Sebastian Klus

    Two reviews needed
    (0002376)
    INOPIAE   
    2011-08-31 04:31   
    english version can be found here https://svn.cacert.org/CAcert/Education/CATS/lang/english.php
    (0002380)
    antonio   
    2011-08-31 08:42   
    Review 1 sent by mail to reporter
    (0003714)
    chema.alonso   
    2013-01-22 19:09   
    Uploaded diff file with my revision (spanish_php_revision.diff)

    BTW, the original english file ( https://svn.cacert.org/CAcert/Education/CATS/lang/english.ph) includes the word "informationen" (which I believe is in german) at line 156:

    define("Statistic_06","user informationen");

    I think it should be:

    define("Statistic_06","user information");

    Regards.
    (0005182)
    L10N   
    2014-12-15 13:40   
    Ted, could you ask Antonio and an other spanish speaker to review the diff file? It is waiting for review for nearly two years...
    (0005519)
    jonas   
    2016-05-03 11:51   
    I have reviewed the diff file and made some changes. The updated diff file has been uploaded and is named: spanish_php_revision_reviewed.diff

    If needed, I will look how to download the original spanish file from the git repository, apply the diff and create a pull request.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1411 [Main CAcert Website] website content minor have not tried 2016-02-09 19:46 2016-03-01 21:44
    Reporter: INOPIAE Platform:  
    Assigned To: BenBE OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version: 2016 Q1  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2016 Q1  
    Reviewed by: BenBE
    Test Instructions: check the PayPal links on these pages /index.php, /index.php/?id=5, /index.php?id=13, /index.php/id=21 point to pages with EUR.
    Summary: Change all PayPal donations buttons to the payment sites of CAcert in EUR
    Description: All buttons should point to the CAcert PayPal payment in EUR
    index.php
    index.php?id=5
    index.php?id=13
    index.php?id=21 not need as this points already to EUR
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files: Code for the Donation button.txt (357 bytes) 2016-02-09 19:47
    http://bugs.cacert.org/file_download.php?file_id=414&type=bug
    Code for the Password reset button.txt (465 bytes) 2016-02-09 20:54
    http://bugs.cacert.org/file_download.php?file_id=415&type=bug
    Code for the 5 EUR button.txt (460 bytes) 2016-02-09 20:57
    http://bugs.cacert.org/file_download.php?file_id=416&type=bug
    Code for the 50 EUR button.txt (461 bytes) 2016-02-09 20:58
    http://bugs.cacert.org/file_download.php?file_id=417&type=bug
    Notes
    (0005507)
    INOPIAE   
    2016-02-26 06:18   
    I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-1411
    (0005508)
    reinhardm   
    2016-02-26 20:54   
    tested all of the above variants
    index.php
    index.php?id=5
    index.php?id=13
    index.php?id=21
    by clicking the paypal button and checked the results.
    All amount are displayed in EURO, symbol € and text EUR is displayed.

    Test successfull.
    (0005509)
    aterpotiz   
    2016-03-01 20:31   
    test result:

    index.php
        Text AU$50 (wrong text over Button1)
        Button1 --> Paypal € 50.00
        Button 2 --> PayPal € 5.00

    index.php?id=5
        Button1 --> PayPal € 15.00

    index.php?id=13
        Button1 --> PayPal € 0.00 (Change Button Logo to Donation?)

    index.php?id=21
        Button1 --> PayPal € 10.00 / Year
        Button2 --> PayPal € 10.00

    Test for Euro -- OK
    (0005510)
    StefanT   
    2016-03-01 20:33   
    Test with Chrome Version 48.0.2564.116 m
    Paypal Links tested:
    index.php EUR OK Buttons OK
    index.php?id=5 EUR OK Button OK
    index.php?id=13 EUR OK Button is for payment and not for donations
    index.php?id=21 EUR OK Buttons OK
    On Side 13 the Button should be replaced to a donation button
    (0005511)
    INOPIAE   
    2016-03-01 21:44   
    I pushed a new fix to https://github.com/INOPIAE/CAcert/tree/bug-1411 [^]


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1343 [Main CAcert Website] source code major always 2014-12-13 11:46 2016-02-26 19:44
    Reporter: wytze Platform: Main CAcert Website  
    Assigned To: NEOatNHNG OS: N/A  
    Priority: high OS Version: stable  
    Status: ready to deploy Product Version: 2014 Q4  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version: 2015 Q3  
        Target Version: 2014 Q4  
    Reviewed by: NEOatNHNG, BenBE
    Test Instructions: See Steps to Reproduce
    Summary: CommModule server.pl does not respond correctly to start/stop commands
    Description: The CAcert CommModule server.pl code requires a minor fix to respond correctly to the "service commmodule stop" command.
    The current code does not properly take Perl operator priority into account.
    Tags:
    Steps To Reproduce: Try to stop the running signing server (server.pl process) with:
        service commmodule stop
    (NOTE: on the test servers: service commmodule-signer stop).
    Observe that the server.pl process continues running.
    Additional Information: Context diff for the source code fix is:

    @@ -1002,7 +1002,7 @@
     my $count=0;

     #As soon as the client connected successfully, the client has to send a request faster than every 10 seconds
    -while(@ready = $sel->can_read(15) && -f "./server.pl-active")
    +while((@ready = $sel->can_read(15)) && -f "./server.pl-active")
     {
       my $data="";
       #my $length=read SER,$data,1;
    System Description Production version of the CAcert website
    Attached Files:
    Notes
    (0005340)
    BenBE   
    2015-03-03 20:40   
    Tested by Crit (wytze) when providing the original patch.
    Also tested by me when restarting the CommModule recently when I applied patches on the testserver.
    (0005442)
    NEOatNHNG   
    2015-07-29 17:02   
    Patch looks OK, although I'm not Perl-literate enough to get why it was not working before. Yes, the @ready would contain a different value, but shouldn't that be false too if the server.pl-active is missing?
    (0005457)
    felixd   
    2015-08-25 20:22   
    Tested on a local installation: The Signer seems to behave identically with or without the brackets. In both cases the perl command terminated within 20 seconds.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1413 [Main CAcert Website] misc feature always 2016-02-24 20:09 2016-02-24 20:09
    Reporter: BenBE Platform:  
    Assigned To: INOPIAE OS:  
    Priority: normal OS Version:  
    Status: new Product Version: 2016 Q1  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2016 Q2  
    Reviewed by:
    Test Instructions: See steps to reproduce. Target is testing all functions causing zero issues doing so.
    Summary: Introduce CSP and other security headers
    Description: The site should be changed so that the security features of modern browsers can be used (XSS proctection, IFrame protection, CSP, CORS, ...). In particular for Content Security Policy (CSP) the following policy should work:

    default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self';
    Tags:
    Steps To Reproduce: Use a plugin like "Caspr: Enforcer" and enable the above policy.
    Hitting F12 and refreshing/browsing any page of the webdb should yield no error messages in the Chrome console.
    Additional Information: The above policy requires mostly the following changes:
    - Move JS code to static files
    - Move CSS into the normal style sheet (or separate files)
    - Deliver used fonts locally as static files (or via webstatic / requires slight modification to above policy).
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    320 [Main CAcert Website] website content tweak always 2006-08-30 03:57 2016-02-11 23:35
    Reporter: Sourcerer Platform:  
    Assigned To: felixd OS:  
    Priority: normal OS Version:  
    Status: fix available Product Version: 2006  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Stop abusing $_REQUEST (and other special arrays)
    Description: includes/account.php line1918 (the if($id==36) block)
    reads the data from the database, and stores the data in the
    PHP global array $_REQUEST:

    $_REQUEST['general'] = $row['general'];

    so that it can later be read from the $_REQUEST array in the pages/account/36.php:
    <? if($_REQUEST['general']) echo " checked";

    This is an abuse of the $_REQUEST array, which might break in newer versions of PHP. (eg. it might not be writeable in the future anymore)
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0004833)
    felixd   
    2014-06-15 09:23   
    (Last edited: 2014-06-17 13:30)
    A command similar to:

    grep -r --color=auto "\$_\(REQUEST\|POST\|GET\)\(\[[^]]\+\]\)\+ \?= \?[^=]" pages www includes

    might help to determine the loctions.

    (0004845)
    felixd   
    2014-06-17 14:30   
    I pushed some patches (mainly the small files except includes/account.php)
    that stop writing to one of these variables here:

    https://github.com/yellowant/cacert-devel/tree/bug-320


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1410 [CATS.cacert.org] User Interface minor always 2015-12-20 13:49 2015-12-20 13:49
    Reporter: alkas Platform: ASUS PC  
    Assigned To: OS: Windows 8  
    Priority: normal OS Version: 8.0  
    Status: new Product Version: production  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Not the exact text in "Server Certificates" - "View"
    Description: You can read "Domain certificates" in the main part of the window. It should be "Domain and Server Certificates",I suppose. The text "Domain and Server Certificates" does exist in the Pootle English and translated texts! See the attachment, too.
    Tags:
    Steps To Reproduce: After login to your account at CAcert, open "Server certificates" - "View" from the menu, then observe the heading of the main part of the window.
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files: ServerCertsTextError.gif (115,295 bytes) 2015-12-20 13:49
    http://bugs.cacert.org/file_download.php?file_id=413&type=bug
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1409 [CATS.cacert.org] User Interface text always 2015-12-19 23:33 2015-12-20 13:28
    Reporter: alkas Platform: ASUS PC  
    Assigned To: OS: Windows 8  
    Priority: normal OS Version: 8.0  
    Status: new Product Version: production  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: An improper text which can baffle users
    Description: If you want to get a new client certificate, the text on the web page related reads "SSL server certificate". See the attachment.
    This improper text is seen in both Czech and English, probably also in another languages.
    This text has possible legal impact!
    Tags:
    Steps To Reproduce: Log in to www.cacert.org to your account. Select from right menu "Client Certificates", "New". Look to the left part of the window.
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files: NewClientCertTextError.gif (118,453 bytes) 2015-12-19 23:33
    http://bugs.cacert.org/file_download.php?file_id=412&type=bug
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1372 [Main CAcert Website] website content tweak always 2015-02-08 18:08 2015-12-19 11:40
    Reporter: StefanT Platform: Windows  
    Assigned To: OS: Windows  
    Priority: normal OS Version: 8, 8.1, 2012, R2  
    Status: new Product Version: 2015 Q1  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: Control the Certificate Store with MMC
    Summary: Windows Installer not working
    Description: The Windows Installer-EXE is unable to install th CAcert Public Roots to the Certificate Store at Windows 8/10 Architecture.
    Tags:
    Steps To Reproduce: Run the EXE File on Windows 8 and check the Certificate Stores.
    Additional Information:
    System Description Production version of the CAcert website
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1408 [Main CAcert Website] misc feature N/A 2015-12-12 17:19 2015-12-12 17:20
    Reporter: INOPIAE Platform:  
    Assigned To: OS:  
    Priority: normal OS Version:  
    Status: new Product Version: 2015 Q4  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2015 Q4  
    Reviewed by:
    Test Instructions:
    Summary: API to return the Assurer Status to be used from CAcert systems
    Description: The API should be used from internal CAcert systems to verify if a user that identifies himself with a CAcert certificate is an assurer.
    Tags:
    Steps To Reproduce:
    Additional Information: frist implementation could be cacert.eu portal
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1295 [Main CAcert Website] source code major always 2014-08-04 14:42 2015-12-12 17:20
    Reporter: wytze Platform: Default  
    Assigned To: BenBE OS: any  
    Priority: normal OS Version: any  
    Status: fix available Product Version: 2014 Q2  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2014 Q4  
    Reviewed by:
    Test Instructions:
    Summary: fix_assurer_flag() function in includes/lib/account.php causes mysql 5.5 server warnings
    Description: Each invocation of the fix_assurer_flag() function in includes/lib/account.php causes the mysql 5.5 server to log a warning like this:

    Jun 23 20:09:52 webdb mysqld: 140623 20:09:52 [Warning] Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. Statements writing to a table with an auto-increment column after selecting from another table are unsafe because the order in which rows are retrieved determines what (if any) rows will be written. This order cannot be predicted and may differ on master and the slave. Statement: UPDATE `users` AS `u` SET `assurer` = 1
    Jun 23 20:09:52 webdb mysqld: WHERE `u`.`id` = 'XXXXXX'
    Jun 23 20:09:52 webdb mysqld: AND EXISTS(
    Jun 23 20:09:52 webdb mysqld: SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv`
    Jun 23 20:09:52 webdb mysqld: WHERE `cp`.`variant_id` = `cv`.`id`
    Jun 23 20:09:52 webdb mysqld: AND `cv`.`type_id` = 1
    Jun 23 20:09:52 webdb mysqld: AND `cp`.`user_id` = `u`.`id`
    Jun 23 20:09:52 webdb mysqld: )
    Jun 23 20:09:52 webdb mysqld: AND (
    Jun 23 20:09:52 webdb mysqld: SELECT SUM(`points`) FROM `notary` AS `n`
    Jun 23 20:09:52 webdb mysqld: WHERE `n`.`to` = `u`.`id`
    Jun 23 20:09:52 webdb mysqld: AND (`n`.`expire` > now()
    Jun 23 20:09:52 webdb mysqld: OR `n`.`expire` IS NULL)
    Jun 23 20:09:52 webdb mysqld: AND `n`.`deleted` = 0
    Jun 23 20:09:52 webdb mysqld: ) >= 100
    Tags:
    Steps To Reproduce: fix_assurer_flag() is called from several places in the application, pick any.
    Additional Information:
    System Description Default profile.
    Attached Files:
    Notes
    (0004913)
    INOPIAE   
    2014-08-05 20:54   
    (Last edited: 2014-08-05 20:55)
    Can you provide some information about the mysql server setup or point to the documentation is the wiki.
    The main point of question is the mysql server is replicated or not and if it is replicated what the what the settings of the binlog_format is?

    (0004918)
    wytze   
    2014-08-06 09:16   
    The mysql server is *not* replicated.
    Binlogging is enabled with these statements in /etc/mysql/my.cnf:

    log_bin = /var/log/mysql/mysql-bin.log
    expire_logs_days = 0
    max_binlog_size = 100M

    It may be helpful to know that the cacert[12] test servers are using exactly the same setup, except for the setting of expire_log_days (10 on the test servers).
    Identical mysql server warnings can be observed on these test servers.
    (0004919)
    wytze   
    2014-08-06 09:25   
    Perhaps it is sufficient to add:

    binlog_format = mixed

    to the configuration, but a review of such a change by a knowledgeable mysql person would be appreciated.
    (0005116)
    INOPIAE   
    2014-11-22 14:31   
    I pushed a fix to https://github.com/INOPIAE/CAcert/commit/660c548b541f45a48d1268f74f868d4d19c27f5d


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    649 [Main CAcert Website] web of trust feature always 2008-10-18 09:39 2015-12-12 17:19
    Reporter: iang Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version: 2008  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2015 Q2  
    Reviewed by:
    Test Instructions: see note (0005284)
    Summary: verify that someone is an Assurer
    Description: There needs to be a way for the Member to verify that someone is an Assurer.

    For an online system mechanism, it could be any of these variations to get confirmation:

    1. type in an exact name.
    2. type in an email address.
    3. type in a code word selected by the Assurer.
    4. send an email to a given address (might need additional control on/off as could be done by anyone).
    5. some non-online mechanism such as business cards or security cards.

    When the method is used, a confirmation of status should be shown: Member, Assured, Assurer. Optionally other information could be added, under control of the Assurer.
    Tags:
    Steps To Reproduce:
    Additional Information: DRAFT AP says "A Member may check the status of another Member, especially for an assurance process. Status may be implied from information in a certificate. The number of Assurance Points for each Member is not published." (as of today, it might change as it is still in DRAFT.) http://svn.cacert.org/CAcert/Policies/AssurancePolicy.html#2.3

    Member checking Assurer's status is necessary to establish the authority of the Assurance, to establish the mutuality and equality of the process, and to combat a potential identity theft. E.g., at some point, CAcert becomes valuable ("crosses GP") and becomes attacked for its value. One attack is to pretend to be an Assurer and ask people for their identity information.

    Members should be taught to check the Assurer's status.
    Attached Files:
    Notes
    (0004532)
    INOPIAE   
    2014-01-21 10:23   
    Suggestion for Is Assurer Check:

    A new page with a text box for the primary email address of a potential Assurer.
    A dropdownbox with the reason why the information is needed e.g. Assurance, Event Preparation, Arbitration, CARS check, Organisation Assurance.

    Once the form is send the result is not displayed on the screen. It is send to the requestor and the assurer via mail. The screen only shows the information that the mail was sent.

    Mail to requestor:

    Dear xxxx,

    you requested an Assurer check for the primary email address x@y.z for DROPDOWN info.
    The account linked to this email address currently has / has not Assurer Status.

    BR

    Mail to Assurer:

    Dear xxxx,

    your Assurer Status was requested by REQEUSTER NAME, primary email address x@y.z for DROPDOWN info.

    BR
    (0004596)
    INOPIAE   
    2014-02-22 19:39   
    I pushed a fix to https://github.com/INOPIAE/CAcert/tree/bug-649.

    For testing:
    Try to get the assurer status of an assurer, a non assurer and one email that is not list in the testserver.
    (0004610)
    BenBE   
    2014-02-25 22:36   
    in notary.inc.php for function get_user_id_from_mail:

    1. we should be consistent on email vs. mail

    2. trim should be the inner function call, thus trim first and then escape for the database.

    In pages/wot/16.php:
    3. The font tag is deprecated. Use span or div instead and possibly create a proper CSS class for it (or reuse an existing one).

    4. Do proper indentation of the HTML in the file so the source doesn't look to messy. Names of tags should be lowercase (e.g. script at the bottem).

    In www/wot.php:
    5. Why do we need sprintf on a translation without format string parameters?

    6. Indentation for the notification on the web page doesn't need to be that far too the right.

    Not OK.
    (0004640)
    INOPIAE   
    2014-03-15 13:10   
    (Last edited: 2014-03-15 13:11)
    I pushed a new fix to https://github.com/INOPIAE/CAcert/tree/bug-649
    The font tag is handled in a seperate bug

    (0004795)
    Benedikt   
    2014-06-05 21:51   
    Dear Software Team, is there any progress on this bug?
    (0004804)
    INOPIAE   
    2014-06-07 20:20   
    I pushed a new fix to https://github.com/INOPIAE/CAcert/tree/bug-649
    (0005279)
    Eva   
    2015-01-26 05:44   
    There was a dispute filed by BenBE and INOPIAE to check if this bug is allowed.
    (0005283)
    INOPIAE   
    2015-01-28 09:06   
    I pushed a new fix to adjust the adminlog table
    https://github.com/INOPIAE/CAcert/commit/c0f2cae1ef3a2c4cbcfaeb6fd403a7255916c07b
    (0005284)
    INOPIAE   
    2015-01-28 09:25   
    (Last edited: 2015-03-03 20:18)
    Test instructions:
    try to get the assurer status of at least 6 accounts
    Check the mail box of the accounts if a mail arrived
    If you check the sixth account within 1 hour you should get an message, that you are not allowed to proceed for the next hour.
    no mail should be send now
    Try the account again after 1 hour
    Now it should work again

    (0005296)
    Ted   
    2015-01-28 16:30   
    Did some tests from account ted@convey.de (Admin account), all checks within one hour, all mail adresses are @convey.de:

    123, Is Assurer, Mail checked, OK
    ted, Is Assurer, Mail checked, OK (this was my own account)
    switch2, No Assurer, Mail checked, OK
    switch1, No Assurer, failed see below
    deleted2, No Assurer, Mail checkes, Probably OK
    to_be_deleted2, Not found, OK but shouldn't there a limit to 5 checks?
    deleted2, No Assurer, probably ok (repeated check)
    to_be_deleted, No Assurer, OK but limit?
    froehlich, Not found, OK is an additional address
    deleted3, No Assurer, Failed account is deleted!


    More details:

    switch1 is an address that initially belonged to the account which is now switch2. If I request the status of switch1 the mail shows up in both Test Manager accounts, with target address switch1.
    This may be a bug in the Test Manager, but it's a bit strange nevertheless...

    Account deleted3 is reported as "No Assurer", but the account is deleted, so it should be reported as "Not found".

    I guess it's intentional that only the primary mail address for an account is found.

    deleted2 is a special account which should not occur in the production database since the USERS record is not marked as deleted but the corresponding EMAIL record is. I guess it's acceptable if the lookup finds such an account.

    The limit did not cut in, maybe because I tested with an Admin-Account?
    (0005297)
    Ted   
    2015-01-28 16:42   
    Another test with switch2 and switch1, now switch2 is Assurer, switch1 is not.

    Checking correctly returns the status of both accounts.
    (0005299)
    Eva   
    2015-02-03 19:55   
    Is there any limit how many requests one can send?
    Is there a way to opt out?
    Also I do not see the Arbitration reason. The bigger problem for Arbitration is to figure out the primary address, to begin with. In most cases this is not known to Arbitration. As to be able to test the assurance status the Arbitrator would first need to ask support for this. As there would be a need to ask support, anyway, any needed information - this could exclude the primary address - could be provided by support to Arbitration.

    Also anybody could state to just ask for an arbitration reason. IF this would be implemented, it should only be possible for members of the arbitration team, as this could be missused anyway. Currently the software does not have a flag for a member of the assurance team


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1407 [CATS.cacert.org] Result Upload minor have not tried 2015-12-04 22:06 2015-12-05 01:14
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Result upload should support new testserver and privacy tests
    Description: The new testserver configuration requires the Result Upload to support SNI.

    Also, the new topic type "Data Privacy Quiz" should be supported.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005489)
    Ted   
    2015-12-04 23:53   
    Changes proposed by felixd, plus some cosmetic changes, checked in to branch bug-1407 and merged into testserver branch.

    Automatic upload should now be active on the testserver (every 5 minutes).

    Additional tests and reviews would be nice, but since we're not under SM this is considered optional.
    (0005490)
    BenBE   
    2015-12-05 01:14   
    As I suggested the two hunks for the SNI support and the SQL change) I'm fine with both of them.

    For your my_dir function I'd suggest using the dirname function instead, cf. http://stackoverflow.com/a/3455972

    In the SQL statement beware that the additional "4" will have to match the type ID assigned to the Data Privacy category. Please verify if 4 is really the correct category ID (on the CATS).

    Also, but this is separate from the functional stuff, I'd be glad if we could avoid trailing whitespace at the end of lines. No biggie, but always looks kinda wrong when having a look at the diff in Git.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1403 [CATS.cacert.org] Content (Questions and Answers) feature N/A 2015-10-11 20:45 2015-12-03 08:41
    Reporter: Benedikt Platform: Default  
    Assigned To: Benedikt OS: any  
    Priority: normal OS Version: any  
    Status: needs work Product Version: production  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: Add additional CATS tests for Data Privacy (Test & Prod)
    Description: Out of Incidents i20140814.1 and i20140625.1, a data privacy CATS should be added binding for all people within CAcert handling personal data and voluntary for assurers. To divide the different needs for data privacy by different roles, following CATS tests are recommended:

    1) general data privacy CATS test
    2) special data privacy CATS test for Triage and Support Engineers
    3) special data privacy CATS test for Infrastructure Admins
    4) special data privacy CATS test Arbitrators and Case Managers

    Since we cannot identify a person's roll by his/her certificate, the CATS should be freely available for everyone.

    The CATS should be available in Test & Prod system.

    Tags:
    Steps To Reproduce:
    Additional Information: The questions and answers can be provided by myself, if you grant me the rights needed. The public key of the certificate is attached.
    System Description Default profile.
    Attached Files: benedikt.pem (2,050 bytes) 2015-10-11 20:51
    http://bugs.cacert.org/file_download.php?file_id=410&type=bug
    Notes
    (0005465)
    Ted   
    2015-10-12 20:07   
    Benedikt,

    you should now be able to log in to the development CATS (https://cats1.it-sls.de:14843/index.php) using the attached certificate. If you are not, please tell me, this is the first time I tried to add someone manually.

    Your account has admin rights, so you are able to create new questions/answers. The four tests you proposed are already created but still waiting for questions.

    So far for the development system. Before I transfer any tests from the development system to the productive system there should be a written procedure (in the WiKi?) defining how a proposed test is to be reviewed, or otherwise verified to be acceptable.
    (0005466)
    Benedikt   
    2015-10-12 20:19   
    (Last edited: 2015-10-12 20:19)
    Hey Ted,

    Access to the CATS Test Server's Admin Panel works and I can add Questions.

    Once done, we should discuss the review & transfer procedure with Software.

    (0005467)
    BenBE   
    2015-10-13 19:39   
    Installed on Test Server as:

    INSERT INTO cats_type (id, type_text) VALUES (2, 'Data Privacy Quiz');
    
    INSERT INTO cats_variant (type_id, test_text) VALUES(2, 'Data Privacy Quiz (generic)');
    INSERT INTO cats_variant (type_id, test_text) VALUES(2, 'Data Privacy Quiz (Triage and Support)');
    INSERT INTO cats_variant (type_id, test_text) VALUES(2, 'Data Privacy Quiz (Infrastructure Admins)');
    INSERT INTO cats_variant (type_id, test_text) VALUES(2, 'Data Privacy Quiz (Arbitrators and Case Managers)');
    
    (0005488)
    felixd   
    2015-12-03 08:32   
    (Last edited: 2015-12-03 08:41)
    Benny and I fixed the testserver-CATS-system.

    We found out that the changes of #0005467 are not needed as the import script automatically creates that entries.

    There needs to be an adjustment to "UploadResults.pl". Changing the set of to-be-transferred CATS categories, to include the new CATS category.



    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1149 [CATS.cacert.org] User Interface minor always 2013-03-03 22:15 2015-11-04 20:54
    Reporter: Ted Platform:  
    Assigned To: Ted OS:  
    Priority: normal OS Version:  
    Status: needs review Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Summary: CATS accepts server certificates for login
    Description: If someone imports a server certificate into the browser it is possible to use this certificate to log in to CATS.

    Though this is not a real bad problem it leads to problems when uploading the results to the main CAcert database. Since the import interface (cats_import.php) only checks the table for client certificates (EMAILCERTS) it cannot find server certificates and therefor reports an error.

    From the logic behind the system CATS expects a certificate to identify a person, not a server, so the most consistent way to fix this bug is to refuse login for server certificates.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files: test.p12 (3,070 bytes) 2015-11-01 15:22
    http://bugs.cacert.org/file_download.php?file_id=411&type=bug
    Notes
    (0003786)
    Ted   
    2013-03-03 22:19   
    (Last edited: 2013-03-03 22:19)
    A certificate is defined as a client certificate if it contains an "Email" field in the CN.

    AFAIK all CAcert client certificates either include one of the verified email addresses or the "Single Sign On ID Information" in the Email field.

    (0003787)
    Ted   
    2013-03-03 23:30   
    Created branch bug-1149 on https://github.com/CAcertOrg/cats.git
    (0005473)
    Ted   
    2015-10-18 14:30   
    Merged the branch into testserver branch
    (0005480)
    Ted   
    2015-11-01 15:21   
    Tested with this procedure:

    - Create key and CSR with: openssl req -newkey rsa:2048 -keyout test.key -subj "/CN=dummy.convey-ag.de" -out test.csr
    - Created certificate with testserver, stored into test.crt
    - Created importable PKCS12 file with: openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt -name "Test Certificate for CAcert bug-1149"

    - Firefox 41.0.2 refused to import the certificate with unspecific error message

    - Importing into Windows Certificate Storage:
      - open MMC.EXE and add plugin "Certificates" for current user
      - Goto "Own Certificates" and use right click -> All Tasks... -> Import
      - Import the test.p12 file
      - "dummy.convey-ag.de" certificate shows in "Own Certificates -> Certifictes"
    - Open Internet Explorer for https://cats1.it-sls.de:14843
    - When asked by Internet Explorer, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication
    - Click "Login"

    ==> Error message is shown:

    Your certificate does not contain an Email field, you are probably using a server certificate.
    Server certificates cannot be used to log in to CATS since they do not identify a person.

    ==> Correct behaviour for this kind of certififcates.

    Please test also with your own browser. I added the test.p12 file (password for import is "test"), just in case you don't have the time to create your own certificate...
    (0005481)
    Ted   
    2015-11-01 15:35   
    Login works with my "usual" client certificate. Additional tests needed for other types of allowed certificates:

    - "Anonymous" certificates
    - Certifictes with only Single Sign On ID
    - Certificate with multiple emails
    (0005482)
    INOPIAE   
    2015-11-03 20:36   
    I tested with a new created server certificate from the test server which I imported via mmc to the windows truststore.
    With Chrome I was able to connect to the cats1 but this error message is shown:
    Your certificate does not contain an Email field, you are probably using a server certificate.
    Server certificates cannot be used to log in to CATS since they do not identify a person.
    => ok
    With a client certificate the login worked perfectly.
    =>ok

    =>ok
    (0005483)
    MartinGummi   
    2015-11-03 21:38   
    Using Ted's openssl commands

    - Create key and CSR
    - Created certificate with testserver
    - Created importable PKCS12 file
    - Import to Iceweasel 41.0.2
    - Open Iceweasel 41.0.2 for https://cats1.it-sls.de:14843 [^]
    - When asked by Iceweasel, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication
    - Click "Login"

    ==>Show Error
    Your certificate does not contain an Email field, you are probably using a server certificate.
    Server certificates cannot be used to log in to CATS since they do not identify a person.

    =>OK
    With a client certificate with email Address, login worked perfectly.
    =>OK

    OK
    (0005484)
    StefanT   
    2015-11-04 20:49   
    -Using user paul.panter@pink.org at testsystem
    -Created Server certificate for www.looney.org
    -Imported certificate into user-certificate-store
    -Started EDGE
    -Start https://cats1.it-sls.de:14843/
    -Site was displayed => OK

    => There was client certificates only listed for auth-seletion. => OK

    Login with client certificate was possible without errors => OK
    (0005485)
    StefanT   
    2015-11-04 20:54   
    -Using user paul.panter@pink.org at testsystem
    -Created Server certificate for www.looney.org
    -Started Firefox
    -Imported certificate into firefox 42
    -Start https://cats1.it-sls.de:14843/ [^]
    -Site was displayed => OK

    => Your certificate does not contain an Email field, you are probably using a server certificate.
    Server certificates cannot be used to log in to CATS since they do not identify a person. => OK

    Login with client certificate was possible without errors => OK


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1393 [Main CAcert Website] my account minor have not tried 2015-07-28 15:29 2015-10-24 16:31
    Reporter: INOPIAE Platform:  
    Assigned To: felixd OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version: 2015 Q3  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2015 Q3  
    Reviewed by: BenBE
    Test Instructions: Try to ping a domain that is not reachable for an email ping or cause other issues. Test the success case gives no transcript.
    Summary: Provide transcript for email ping (on error)
    Description: If the email ping is not successful, give the user a better information why it did not work.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005439)
    felixd   
    2015-07-28 19:55   
    A patch is here:

    https://github.com/yellowant/cacert-devel/tree/bug-1393
    (0005455)
    INOPIAE   
    2015-08-25 20:11   
    (Last edited: 2015-08-25 20:33)
    I tried to create a new account with an email address with a non existing domain:
    I get the follwing error message:
    Processing email address:
    - Domain Name: xxxxxx.eu
    - Mailbox Name: m
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'xxxxxx.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'xxxxxx.eu' with priority 0

    Starting test for id 0 for host 'xxxxxx.eu'
    - Trying to connect to 'tcp://xxxxxx.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    => ok

    I tried to add an email address with a non existing domain to an existing account:
    I get the follwing error message:
    Processing email address:
    - Domain Name: xxxxxx.eu
    - Mailbox Name: m
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'xxxxxx.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'xxxxxx.eu' with priority 0

    Starting test for id 0 for host 'xxxxxx.eu'
    - Trying to connect to 'tcp://xxxxxx.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    => ok

    I tried to add a non existing domain to an existing account:
    I get the follwing error message when trying to select one of the addresses suggested mails:
    Processing email address:
    - Domain Name: xxxxxx.eu
    - Mailbox Name: m
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'xxxxxx.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'xxxxxx.eu' with priority 0

    Starting test for id 0 for host 'xxxxxx.eu'
    - Trying to connect to 'tcp://xxxxxx.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    => ok

    adding an email address with an existing domain works without error message.
    => ok

    => ok

    (0005479)
    GuKKDevel   
    2015-10-22 15:52   
    (Last edited: 2015-10-24 16:31)
    1 tried to create an account

    1.1 with nonexisting TLD

    Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid

    Processing email address:
    - Domain Name: plofre.tramp
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.tramp' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.tramp' with priority 0

    Starting test for id 0 for host 'plofre.tramp'
    - Trying to connect to 'tcp://plofre.tramp:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Name or service not known
    None of the email servers could be reached

    ==> OK


    1.2 with nonexisting Domain

    Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid

    Processing email address:
    - Domain Name: plofre.eu
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.eu' with priority 0

    Starting test for id 0 for host 'plofre.eu'
    - Trying to connect to 'tcp://plofre.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Name or service not known
    None of the email servers could be reached

    ==> OK


    1.3 with nonexisting Subdomain

    Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid

    Processing email address:
    - Domain Name: plofre.cacert.org
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.cacert.org' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.cacert.org' with priority 0

    Starting test for id 0 for host 'plofre.cacert.org'
    - Trying to connect to 'tcp://plofre.cacert.org:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Name or service not known
    None of the email servers could be reached

    ==> OK


    1.4 with nonexisting Emailaccount gucky@cacert.org

    Your information has been submitted into our system. You will now be sent an email with a web link,
    you need to open that link in your web browser within 24 hours or your information will be removed from our system!

    ==> OK


    2. add adress to assurer-account

    2.1 with nonexisting TLD

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: Plofre.Tramp
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'Plofre.Tramp' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'Plofre.Tramp' with priority 0

    Starting test for id 0 for host 'Plofre.Tramp'
    - Trying to connect to 'tcp://Plofre.Tramp:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    2.2 with nonexisting Domain

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: plofre.eu
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.eu' with priority 0

    Starting test for id 0 for host 'plofre.eu'
    - Trying to connect to 'tcp://plofre.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    2.3 with nonexisting Sub-Domain

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: plofre.cacert.org
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.cacert.org' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.cacert.org' with priority 0

    Starting test for id 0 for host 'plofre.cacert.org'
    - Trying to connect to 'tcp://plofre.cacert.org:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    2.4a with nonexisting Emailaccount gucky@cacert.org

    Die E-Mail-Adresse 'gucky@Cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

    =======> needs controll after 24 hours.


    Controll:

    Die E-Mail-Adresse 'gucky@Cacert.org' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können, müssen Sie den Link,
    der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

    ==> OK


    2.4b with nonexisting Emailaccount gucky1@cacert.org

    Die E-Mail-Adresse 'gucky1@cacert.org' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können, müssen Sie den Link,
    der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

    ==> OK



    3. add adress to assured-account

    3.1 with nonexisting TLD

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: plofre.Tramp
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.Tramp' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.Tramp' with priority 0

    Starting test for id 0 for host 'plofre.Tramp'
    - Trying to connect to 'tcp://plofre.Tramp:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    3.2 with nonexisting Domain

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: plofre.eu
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.eu' with priority 0

    Starting test for id 0 for host 'plofre.eu'
    - Trying to connect to 'tcp://plofre.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    3.3 with nonexisting Sub-Domain

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: plofre.gukk.eu
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.gukk.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.gukk.eu' with priority 0

    Starting test for id 0 for host 'plofre.gukk.eu'
    - Trying to connect to 'tcp://plofre.gukk.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    3.4a with nonexisting Emailaccount gucky@cacert.org

    Die E-Mail-Adresse 'gucky@Cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

    =======> needs controll after 24 hours.
    see 2.4a

    3.4b with nonexisting Emailaccount gucky1@cacert.org

    Die E-Mail-Adresse 'gucky1@cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

    =======> needs controll after 24 hours.


    Controll:

    Die E-Mail-Adresse 'gucky1@cacert.org' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können, müssen Sie den Link,
    der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

    ==> OK


    3.4c with nonexisting Emailaccount gucky@gukk.eu

    Die E-Mail-Adresse 'gucky@gukk.eu' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können,
    müssen Sie den Link, der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

    ==> OK


    4. add adress to notassured-account

    4.1 with nonexisting TLD

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: plofre.Tramp
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.Tramp' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.Tramp' with priority 0

    Starting test for id 0 for host 'plofre.Tramp'
    - Trying to connect to 'tcp://plofre.Tramp:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    4.2 with nonexisting Domain

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: plofre.eu
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.eu' with priority 0

    Starting test for id 0 for host 'plofre.eu'
    - Trying to connect to 'tcp://plofre.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    4.3 with nonexisting Sub-Domain

    Die angegebene E-Mail-Adresse war ungültig oder eine Test-Verbindung zu Ihrem Server konnte nicht aufgebaut werden oder Ihr Server hat Ihre E-Mail-Adresse als ungültig abgewiesen.

    Processing email address:
    - Domain Name: plofre.gukk.eu
    - Mailbox Name: Gucky
    Determining MX records for mail delivery:
    - DNS lookup for MX records failed
    - Defaulting to MX = 'plofre.gukk.eu' at priority 0
    Building priority queue for test of servers:
    - Will test server id 0 at host 'plofre.gukk.eu' with priority 0

    Starting test for id 0 for host 'plofre.gukk.eu'
    - Trying to connect to 'tcp://plofre.gukk.eu:25' ... FAILED
    - Connection failed with code 0: php_network_getaddresses: getaddrinfo failed: Der Name oder der Dienst ist nicht bekannt
    None of the email servers could be reached

    ==> OK


    4.4a with nonexisting Emailaccount gucky@cacert.org

    Die E-Mail-Adresse 'gucky@Cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

    =======> needs controll after 24 hours.
    see 2.4a

    4.4b with nonexisting Emailaccount gucky1@cacert.org

    Die E-Mail-Adresse 'gucky1@cacert.org' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

    =======> needs controll after 24 hours.
    see 3.4b

    4.4c with nonexisting Emailaccount gucky@gukk.eu

    Die E-Mail-Adresse 'gucky@gukk.eu' ist bereits einem anderen Konto zugeordnet. Fortsetzen nicht möglich.

    =======> needs controll after 24 hours.


    Controll:

    Die E-Mail-Adresse 'gucky@gukk.eu' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können, müssen Sie den Link, der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

    ==> OK

    4.4d with nonexisting Emailaccount plofre@gukk.eu

    Die E-Mail-Adresse 'plofre@gukk.eu' wurde hinzugefügt. Bevor Sie jedoch für diese Adresse Zertifikate ausstellen können,
    müssen Sie den Link, der Ihnen an diese E-Mail-Adresse geschickt worden ist, in einem Browser öffnen.

    ==> OK



    all results conflated

    ==> OK



    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1382 [Main CAcert Website] minor always 2015-05-05 05:00 2015-10-23 10:57
    Reporter: INOPIAE Platform:  
    Assigned To: BenBE OS:  
    Priority: normal OS Version:  
    Status: needs review Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: Check with an Org Assurer Account if all domains show valid entries in organisation overview (account/25.php) that corrospondent to the single entries. Only account with id 311 shows no entires,
    Summary: Missing name entries if organisation name contains special characters on Organisation overview
    Description: All names of an organisation containg special characters are not displayed on account/25.php
    Tags:
    Steps To Reproduce:
    Additional Information: Line 66
    <td class="DataTD"><?=htmlspecialchars($row['O'])?>, <?=htmlspecialchars($row['ST'])?> <?=htmlspecialchars($row['C'])?></td>
    Attached Files:
    Notes
    (0005381)
    felixd   
    2015-05-05 20:28   
    Fix is available here: https://github.com/yellowant/cacert-devel/tree/bug-1382
    (0005388)
    MartinGummi   
    2015-05-10 20:35   
    Login with an OrgAssurer Account

    List looks good

    The Organisation with an umlaut (add by me at 2015-05-08) looks good

    ==> ok
    (0005395)
    Eva   
    2015-05-19 19:18   
    When looking at the organisation list as an org assurer only one entry looks as if something is not displayed correctly (it only shows a ",").

    I was told by someone with access to the database that this is exactly as it is based on what is written in the database for that organisation.

    I added a new one with multiple umlauts (%&öüä€ Umlaut name .,-§%, Name DE) it is displayed corect.

    ==> OK


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1042 [Main CAcert Website] source code minor have not tried 2012-05-31 03:50 2015-10-20 21:17
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions: https://bugs.cacert.org/view.php?id=1042#c5383
    Summary: Review the code regarding the new point calculation
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005383)
    felixd   
    2015-05-05 21:59   
    (Last edited: 2015-06-02 20:03)
    Test Instructions:

    to create new test accounts please look at https://wiki.cacert.org/Software/TestTeam/WelcomePack/02-CreateAccounts as the test management server shows some strage behaviours with the batch assurances and the adminsitrative increase.

    General fix in points calculation:
    Experience points are not counted as "points" where this is appropriate (e.g. checking if someone is an assurer).
    This situation might arise as the following.
    An user receives 100 points and passes CATS.
    An user assures some people receiving experience points.
    An assurance to that user (one of the 100 points) gets deleted, so that his assurance + experience points are still over 100, e.g.:
    90 assurance points + 10 experience points = 100 points.

    the user now may for example not assure others.

    Or a user with 40 assurance + 10 experience points may not include his name in certificates.


    Check that the following actions still work:
    - Create a certificate (client or server) and check that it is issued with the correct validity period (with respect to more or less than 50 points).
    - the correct number of max assurance points is displayed when assuring someone (checking that two values are correct should suffice)
    - the assurer flag gets set and unset correctly
    - the 3 texts on account/55 (your trainings): "are assurer" "have 100 points but need test", "have passed challange but need 100 points" are displayed correctly. (100 points are only 100 assurance points, please test that experience points do not count here)
    - only 'real' (see 'General fix') assurers are listed in wot/1
    - only listed 'real' assurers may be sent contact mails through wot/9
    - stats work calculate the points (now) correctly (see 'General fix')
    - "api/ccsr.php" and "api/cemails.php" are removed.
    - the mail sent to assurees is correct:
       no 'rounding down' anymore
       you have now 'x' assurance points in total (with x also beeing > 100)


    A complete check of all other features might be appropriate as well.

    If you delete an assurance in the SE console please make sure that you delete the corresponding "Expierence Points" assurance aswell. Otherwise the calculation of the Total assuracance points in the SE console will not be correct.

    (0005389)
    INOPIAE   
    2015-05-12 19:50   
    (Last edited: 2015-05-12 19:54)
    Created account.
    Added 49 assurance points via test mgr
    Created client cert:
    no class 3 selection => ok
    duration 3 days => ok
    become assurer

    added assurance with 35 points via normal assurance
    mail 35 points added you have now 35 points. => false should be 84 points
    my points wot/10 shows 49 point => false should be 84 points
    my points wot/15 shows 84 points => ok
    SE interface shows 49 points => false should be 84 points
    SE points wot/10 shows 49 points => false should be 84 points
    SE points wot/15 shows 84 points => ok
    created client cert:
    class 3 enabled => ok
    duration 3days => false should be 1 week
    become assurer

    stop testing until errors are fixed

    (0005396)
    Eva   
    2015-05-19 19:37   
    I do not see that the big bunsh of entries are testable in a sensible manner so that it is documented in an understandable way. Protests against this combination of so many things into one bug-entry, especially when it is about as substancial things as assurances (and a lot of other things)

    Please find another way how this tests should be done.
    (0005397)
    BenBE   
    2015-05-19 20:01   
    The way these tests are handled is the only sensible one even if the bugs were split originally for review purposes. Re-combining the bugs was done on purpose as duplicating tests would have been much more trouble in regards to documentation as changes in one dependent bug/patch might introduce changes on a completely different location. Also: You were one of the people complaining to not want to test the whole system (range of effects single changes in this patch set) for every patch (result of not combining the test) in the patch set.

    Furthermore: If we were not to test this change at all we wouldn't get any change of it online. There were similar patches like this in the past and while testing took some time to review the whole system (and yes, with the current software that is sometimes the only way) it has been managed.

    Nobody forces you to test this patch. If you feel like you can't cope: Don't do it.

    Testing is voluntary for the testers, yet compulsory for getting a change set into production. It's much preferable if the testers are confident in what they do instead of complaining.

    This said: Tests can usually be split at the boundaries of the bugs while keeping in mind the features from other bugs they depend on. This can be roughly seen from the way the merges were performed while combining the change sets for this issue (some issues are merged explicitly into foreign branches despite them being merged into this bug anyway).
    (0005398)
    Eva   
    2015-05-19 20:16   
    If there is such a big bug and big patch there should be at least one (if not multiple) descirptions of what is done on a "use case" or comparable level. Something that describes for someone not deeply into the software what this is all about. This is even the case if it should not lead to any visible changes.

    Currently there are only quite random thing listed, that seem to belong to different original bug entries.

    I do not complain about that "everything" needs to be tested. That is something that needs to be done, now and again.

    But this "everything" cannot be actually everything as one would need indefinite time to do this. So one has to focus on something. To be able to do so one has to do this with the specific kind of change in mind. It is definitly not enough to only concentrate on those points that the coder has touched, as our tests are specificly done to find side effect of those changes, especially those that the coder did not have in mind.

    So instead of more or less giving a list of changes test-instructions and/or bug descriptions should be done on a different level.

    Also most big features can normally be split to smaller ones. It would be good to be able to focus on those with the tests, even if one would have to do the complete test multiple times.
    (0005401)
    INOPIAE   
    2015-05-27 05:37   
    (Last edited: 2015-06-02 20:30)
    I created a new account.
    Via TMS gave 100 AP and CATS
    Started assuring
    With the 6th assurance the max points stayed with 10 points.
    => fail

    (0005402)
    felixd   
    2015-05-27 08:40   
    We tested and live-fixed that bug on another testsystem. The resulting commit is here:

    https://github.com/yellowant/cacert-devel/commits/bug-1042
    (0005403)
    INOPIAE   
    2015-06-02 20:37   
    (Last edited: 2015-06-02 20:39)
    I created a new account.
    Via TMS gave 100 AP and CATS
    Started assuring
    The system shows for each successful 5 assurance the increase of the max points correct. => ok
    After 25th assurance the max. point is on 35 points max. => ok
    I deleted one assurance and the corresponding "Expierence Points" assuracne.
    The the totals are correct. => ok
    The max. points droped to 30 points max. => ok.
    Adding a new assurance come back to 35 points max. again. => ok

    (0005404)
    janmaco   
    2015-06-06 10:52   
    Generated a user and gave him 100 AP and CATS.
    Generated 24 users and let the user assure each of them.
    Maximum points to assure increases in the correct interval => OK
    User got 50 EP and is now able to assure up to 35 AP => OK
    Removed one assurance, the user made -> The user can only assure 30 AP => OK
    Removed one assurance the user got -> The user isn't able to assure anyone AFTER RELOGIN (this is kind
     of "fatal", but is not part of this bug) => OK
    Reassured user -> user is able again to assure up to 30 points => OK
    Assured another user -> got 2 EP -> user has 150 points and is able to assure 35 points => OK

    Revoked all assurances the user got (still has 50 EP (_NOT_ AP)) -> generated client cert including name
     using SPKAC -> name included => FAIL/WARN: Discuss which behavior is correct...
    In the same scenario, only short validity periods are possible (so at least the signer seems to work
     correctly here) => OK

    Mails to assurees displayed correctly => OK

    An Assurer who isn't assurer anymore by revoked assurances the user got isn't listed as assurer to others
     => OK
    An Assurer who isn't assurer anymore by revoked assurances the user got (but still has 50 AP and 50 EP
    ) isn't listed as assurer to others => OK
    An Assurer who isn't assurer anymore by revoked assurances the user got (but still has 50 AP and 50 EP
    ) isn't listed as assurer to others and can't be mailed by changing the id in the GET-param, but the
     contactform with the name appears (not this bug) => OK

    api/cemails.php isn't present => OK
    api/ccsr.php isn't present => OK

    => (OK, may need discussion)
    (0005405)
    felixd   
    2015-06-06 16:38   
    (Last edited: 2015-06-06 16:39)
    I patched the code that calculates the 'overall points' (459292a) to only include exp. points, if there are 100 assurance points.

    this should fix "name included => FAIL/WARN: Discuss which behavior is correct"

    (0005406)
    lucasw   
    2015-06-06 17:20   
    (Last edited: 2015-06-10 13:56)
    I performed a test.

    - Created user. Gave user three full assurances (100 AP).
      Gave user CATS. Assured 26 people.
      This was done by Felix using his script.
      That script always attempted to give 35 points;
      the software correctly truncated this to 5x10, 5x15, 5x20, 5x25, 5x30 and finally 1x35 points.
    - Enabled the “Support Engineer” flag to be able to delete assurances.
    - Revoked two assurances by the user. Now user has 48 EP.
    - Attempted to re-assure the first of those users. Entered 35 AP.
      System displayed a maximum of 30 AP, and only 30 AP were granted.
    - Attempted to re-assure the second of those users. Entered 35 AP.
      System displayed a maximum of 35 AP, and all 35 AP were granted.
    - Created client cert, valid for 1 month.
    - Revoked two of the assurances to the user. 87 points total, but only 35 AP.
    - Created client cert, only valid for 3 days.
    - Attempted to assure someone. Got error: User passed Assurer Challenge, but still needs 100 AP.
    - Gave one more assurance to user and revoked one of the “Administrative increases” (2 EP from one of the assurances).
      120 points total, but only 70 AP.
    - Attempted to assure someone. Entered 35 AP.
      System displayed a maximum of 0 AP, and only 0 AP were granted.
      (Note the difference to above, where user wasn’t able to assure at all.)
    - Set my location, searched for assurers around that location.
      User was not listed.
    - Logged out and logged in again.
    - Attempted to assure someone. Menu item not present, but page reachable by entering URL manually.
      Entered 35 AP. System displayed a maximum of 0 AP, and only 0 AP were granted.
    - felixd pushed two patches: Commits 99265c8 and 0adfd09.
    - Gave two more assurances to user, revoked one of them.
      150 points total, 105 AP.
    - Attempted to assure someone. Entered 35 AP.
      System displayed a maximum of 35 AP, and 35 AP were granted.
    - Revoked one assurance to the user.
      120 points total, but only 70 AP.
    - Accidentally logged out. Logged in again.
    - Attempted to assure someone. Menu item not present.
      When entering URL manually, got error: User passed Assurer Challenge, but still needs 100 AP.
    - Gave two more assurances to user, revoked one of them.
      150 points total, 105 AP.
    - Began attempting to assure someone. Entered 35 AP.
      System displayed a maximum of 35 AP.
    - Revoked one assurance to the user.
      120 points total, but only 70 AP.
    - Attempted to complete the started assurance (see above; separate browser tab).
      Got error: User passed Assurer Challenge, but still needs 100 AP.
      The menu item is also hidden.

    SUMMARY: With AP<100, but AP+EP>=100, the system used to allow issuing 0-point assurances (though after a relogin, the menu item was hidden).
    This was fixed by felixd.
    I am not aware of any further bugs related to this issue.

    2015-06-10T15:53+0200 Edit: Felix asked me to check the additional commits 5ab9a73 and eadb033.

    - Opened System Admin panel. Offers Revoke link. OK.
    - Opened Account History panel. Shows revocation info. OK.
    - Opened My Points panel. Does not show revocation info (neither old nor new calculation). OK.
    - Removed Support Engineer flag from account. Logged out and logged in again.
    - System Admin menu not present. Attempted to access it via URL. Got error. OK.
    - Opened Account History panel. Shows revocation info. OK.
    - Opened My Points panel. Does not show revocation info (neither old nor new calculation). OK.

    Seeing as the commits only touched output code, I see no need to repeat the original test.

    (Also available at https://lucaswerkmeister.de/cacert-1042.md, signed at https://lucaswerkmeister.de/cacert-1042.md.gpg)

    (0005407)
    INOPIAE   
    2015-06-09 20:40   
    (Last edited: 2015-06-09 21:26)
    Create new account 1042.a@acme.com
    Added 49 points via TMS
    Created client cert, duration 3 days => ok
    Created server cert, duration 3 days => ok
    Added 1 AP, total 50 AP
    Created client cert, duration 1 months => ok
    Created server cert, duration 1 months => ok
    GPG certs available => ok
    Revoked the assurance 1 AP, total 49 AP
    Certificates were not revoked, is this needed here?
    Created client cert, duration 3 days => ok
    Created server cert, duration 3 days => ok
    GPG certs not vailable => ok
    GPG.php?id=0 and id=2 redirected to account.php => ok
    Added 35 AP and 15 AP, total 99 AP
    Created client cert, duration 1 months => ok
    Created server cert, duration 1 months => ok
    GPG certs available => ok
    Added code signing flag to account (should not be granted)
    Client cert does not show the code signing option => ok
    Added 1 AP, total 100 AP
    Client cert does not show the code signing option => ok
    Cannot assure => ok
    Added CATS
    Client cert shows the code signing option => ok
    Cannot assure. After relogin can assure => ok
    Assured 1 user with 10 points => ok
    Revoked 1 AP, total 99 AP
    Assure someone gives warning an no assurer option => ok
    direct call of wot.php?id=5 shows same behaviour => ok
    Client cert does not show code signing option => ok
    In SE console Assurance Points shows 99 AP => ok
    Added 1 AP, total 100
    user is able to assure again => ok
    Client cert shows the code signing option => ok
    Added 5 more assurance 12 EP in total
    Set location and allow my listing
    User listed in Find Assurer with 15 AP => ok
    Revoked 1 AP assurance, 99 AP in total
    Assure someone gives warning an no assurer option => ok
    direct call of wot.php?id=5 shows same behaviour => ok
    Client cert does not show code signing option => ok
    User not listed in Find Assurer => ok
    Added 1 AP, total 100
    user is able to assure again with 15 AP => ok
    Client cert shows the code signing option => ok

    mails to the assuree always show the desired behaviour => ok

    => ok

    (0005418)
    Eva   
    2015-07-12 20:51   
    Arbitration notice from Arbitrator of a20140126.1:
    This bug should not go productive until a question raised in the case related to this bug is answered and a possible issue is clarified.

    Hopefully no issue will be detected and the block can be removed, soon.
    (0005469)
    Ted   
    2015-10-15 21:21   
    (Last edited: 2015-10-15 21:24)
    Commit 345eb2e771f6475e243f406fe37c41933a520c11 vs. eadb03311454c5dc6234c45a76eb5943612568e0?

    All line numbers reference the files from eadb03311454c5dc6234c45a76eb5943612568e0?.


    ==============
    |REVIEW FAILS|
    ==============

    includes/notary.inc.php
    =======================


    function revoke_assurance and recalculate_old_assurance_points, lines 2213 and 2232:
    The LIMIT clause should be removed, or a comment added why it is needed.

    The LIMIT clause is not a standard SQL clause and redundant to the primary key constraint here. If there are
    multiple primary keys in this table we're in deep trouble, regardless whether one or all rows are updated...


    www/wot.php
    ===========

    Line 417:

    if(($drow_points + $awarded) >= 100 && $drow_points < 0 && !is_assurer(intval($_SESSION['_config']['notarise']['id'])) )

    Am i completely stupid? Shouldn't this read "&& $drow_points > 0"??? As I see it, $drow_points will never be below zero!
    Correct this, or explain me that I'm wrong...

    ==============
    |Minor issues|
    ==============

    CommModule/client.pl
    ====================

    Line 444:
    - Why is the expired data field ignored here? It was ignored before, but as I see it expired notaries should not be counted here.


    includes/lib/account.php
    ========================
    Lines 52 and 85:

    Why "AND `n`.`from` != `n`.`to`" clause? It should not hurt, but how can "from" be equal to "to"?

    pages/account/55.php
    ====================
    Why "AND `n`.`from` != `n`.`to`" clause, see above?


    includes/lib/general.php
    ========================

    Lines 146ff:

    Old code was explicitly false when handling temporary points ("AND `n`.`expire` < now()").
    New code does not handle temporary points at all?


    includes/notary.inc.php
    =======================

    Function get_received_experience_points, line 349:
    Line "$res = get_received_assurances(intval($userid));" should be below the comment, since it is part of the logic that should be removed in the future


    scripts/cron/refresh_stats.php
    ==============================
    In several statements "expire" is not regarded.


    pages/wot/1.php
    ===============
    Statement Line 92ff, extremly ugly, see mail.


    =============
    |Other Notes|
    =============

    CommModule/readme.txt
    =====================
    OK


    CommModule/usbclient.pl
    =======================
    (deleted)

    According to mail from Benny the module is neither used nor supported anymore.


    cgi-bin/siteseal.cgi
    ====================
    (deleted)

    According to mail from Benny, the Site Seal 7 Site Stamp feature has been deactivated for quite some time.


    includes/account.php
    ====================
    OK

    includes/general.php
    ====================
    OK



    includes/loggedin.php
    =====================
    OK


    pages/account/43.php
    ====================
    OK


    pages/wot/9.php
    ===============
    OK. Quite ugly, but not worse than before.



    scripts/cron/updatesort.php
    ===========================
    OK

    stamp/*
    =======

    deleted, see siteseal.cgi

    www/api/ccsr.php
    ================

    OK. API for requesting certificates removed.

    www/api/cemails.php
    ===================

    OK. API for querying own account information removed.

    www/index.php
    =============

    OK

    (0005474)
    BenBE   
    2015-10-18 15:08   
    Regarding the review fails:

    - For the first issue in includes/notary.inc.php:
    If you prefer SQL-standard compliant versions you can leave this clause out. It was primarily added for defense in depth if some conditional was screwed.

    - For the second issue in www/wot.php line 417:
    The conditional is wrong and despite my first look at it and some more backtracing it should read ($drow_points < 100) or to quote the full line:

    if(($drow_points + $awarded) >= 100 && ($drow_points < 100) && !is_assurer(intval($_SESSION['_config']['notarise']['id'])) )

    Thus, given my backtracing was correct, $drow_points at that location holds the old number of points issued to the user and the condition will succeed when the user first has 100 or more points, while having fewer previously.

    - CommModule/client.pl:
    The handling of expired points is indeed missing and should be added to be consistent with the WebDB software. Even though there should be no affected records (no current temporary increases, no such programs defined, old records cleaned by Cronjob) it's better to be safe here.

    - include/lib/general.php:
    Have to revisit the code changes there to say more on this change.

    - refresh_stats.php
    Intentionally ignored (as with deleted entries) to make stats more self-consistent.

    @Ted: You can perform the changes required; I'll revisit the modified locations for my review afterwards.
    (0005475)
    felixd   
    2015-10-19 23:02   
    (Last edited: 2015-10-20 19:03)
    Regarding www/wot.php line 417:

    This is indeed unclear when which part has to be sent.
    I changed the conditionals to have the following meaning:
    - include "you have reached 50 points..." when the assuree now has more than 50 points and hadn't before
    - include "You can now become an assurer" when the assuree now has more than 100 points and hadn't before and is no assurer yet.

    Regarding the LIMIT clauses:
    As BenBE said, we are already heavily depending on MySQL Syntax (evey time there is a backtick quote) and using mysql-specific functions (mysql_query).
    The Limit clause helps to state the programmer's intent that only one line is to be modified and thereby beneficial to make the code understandable.

    As to "expires":
    As BenBE already told there should be no expired records.
    Handling expired records consistently would include adding this extra clause in every SQL-query touched.
    As there should not be expired records, I think, that we should not try to add extra complexity in so many different locations.

    The "`n`.`from` != `n`.`to`"-clauses:
    All "Administrative Increase" points should be of the structure that `from` = `to`.
    We want to select only "regular" assurances and adding `from` != `to` keeps us safe against data entries similar to "Administrative Increase"es.

    I added a commit that changes the bad conditional:
    https://github.com/yellowant/cacert-devel/commits/bug-1042

    I'd say all other things are fine.

    (0005476)
    Eva   
    2015-10-20 06:01   
    Arbitration note from the Arbitrator of a20140126.1 - as stated above that case is blocking this bug. The blocking element for that case is - since over a quarter of a year(!) - the review and test for an appropriate SQL query to be able to inform affected useres about the change to their accounts/assurances (or the display of those).

    As this mail has to be sent weeks prior to the installation of this bug, handle the requested SQL query with priority. There is an Arbitration request to do this for months.

    The requirements about the query are quite clear.

    I do not care how the query looks like, as long as the requirements are met. The current proposal from my side is:

    1st:
    ---
    SELECT count(*)
    FROM `notary` AS `n`
    WHERE `n`.`from` = `n`.`to`
    AND `n`.`method` LIKE 'Administrative%'
    AND ( `n`.`awarded` > 2 OR `n`.`points` > 2 )
    AND `n`.`deleted` != 0;
    ---

    2nd:
    ---
    SELECT count(*)
    FROM `notary` AS `n`
    WHERE `n`.`from` != `n`.`to`
    AND `n`.`method` LIKE 'Administrative%'
    AND `n`.`deleted` != 0;

    To be able to answer a question in that case, and to get an idea of the severity of the issue (and if there is a need to inform members, at all).

    You may also provide another version, that also provides the Fname,
    Lname and email of the assuree, for accounts that are not deleted and
    any other parts which may be required to inform a member via a
    mail-script, if you regard it to be likely that there are affected members.

    As already stated, you may also provide different queries, that match the requirements (or update the above to fix syntactic or comparable issues).

    If you think that you need to know if there are recent entries of higher
    administrative increases on the production system you may add a grouping
    for the years of the assurances. You may also provide a version for a counter per kind of assurances if you (Benny as claimant) regard it to be relevant to check this, by adjusting the "like" or whatever is needed, or a grouping for "points/awarded", or a counter per value.

    However, my requirement is, that at the time being only counts and no specific values of affected accounts are provided. (Beside of possibly a version with name and email to contact affected users, probably via automated mail-script.)

    The description about what the queries should provide by Benny:
    "Regarding the first statement the reason is to see if there are any
    administrative increases in the database where more than 2 points were
    allocated to the columns points or awarded. There should be no such
    records available as the administrative increase by default should be at
    most 2 points.

    The second statement is to see if there are any administrative increases
    in the database where the person issuing points (`from`) is not the same
    as receiving them (`to`). There should be no such records available as
    the administrative increase as present in the software is always set to
    make `from` equals `to`."



    I also place a warning against Benny here, if this is not covered, soon. If you continue to insist on queries that will provide data that was not allowed by the Arbitrator, or if you continue to reject the decision of the Arbitrator of if you continue to delay the creation and review of this query, there will be consequences. You were warned before, multiple times. There were meetings about this. There were agreements, which seem to be waved by you, already.

    Also: The review of the query is a lot easier than the review of this bug, so I definitly cannot understand why it is not done.

    There was already a deadline for 2015-08-26 00:00 UTC, which was not met. Then there was a meeting where you promised to cover this, ASAP. Then I got a mail that this would be covered ASAP but not within the next weeks, because you decided that you would cover Arbitration requests in an order of your likeing (arbitration number). Then there were answers to other cases, with a higher number. But the only answers I got for this case were "rejected" because you insist that more informations should be gathered, at 2015-07-12.
    (0005477)
    Eva   
    2015-10-20 06:09   
    Arbitration notice of Arbitrator of a20141024.1:
    Please remove the assignement to Dirk. He is currently blocked to act as a Software Assessor, because of a decision in that case, to prevent conflicts with another role that he currently holds temporarly. The according part of the ruling is:

    "Dirk is suspended from active regular Software Assessor work. He may
    be active in emergency situations. (Situations where a necessary bug
    cannot be installed in an acceptable amount of time, without his review.)"

    The ruling can be found at: https://wiki.cacert.org/Arbitrations/a20141024.1
    It was given at 2015-09-07.

    Please also remove any other current assignement to Dirk for reviewing bugs that do not match the requirement of that ruling.

    As this bug is currently blocked, based on an Arbitration decisions, the installation of this bug is currently not depending on a review by him.
    (0005478)
    Eva   
    2015-10-20 21:17   
    Follow up notice: Any SA should be quite careful to place review assignments on people who are not SAs. Please think about what you are doing. For once it does not make sense but it also makes it harder to get those bugs found by the people who can review those bugs. But even more any SA should prevent the idea that they are trying to get bugs reviewed by persons who are no SAs by intention. - Even if the no process would be tried, it probably should not be done by assignement. And those people should at least be familiar with PHP.

    To assign bugs for review to people who are not trained or at least familiar with the software, could be understood as a security issue - done by intention.

    Please be a little bit more careful what you do.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    863 [Main CAcert Website] account administration feature have not tried 2010-09-10 14:29 2015-10-20 20:15
    Reporter: Uli60 Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: production  
    Reviewed by:
    Test Instructions:
    Summary: limitation to 2 ttp assurances
    Description: regarding new TTP-Assisted Assurance Policy (WIP (2010-09-10)
    https://svn.cacert.org/CAcert/Policies/TTPAssistedAssurancePolicy.html
    system has to limit the count of ttp assurances to 2.
    If someone tries to enter a TTP-assisted assurance into the system,
    the system has to block this assurance or the selection
    for TTP-assisted assurance needs to be disabled
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0003557)
    Werner Dworak   
    2012-12-23 09:25   
    See error reports in bug 1112


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1023 [Main CAcert Website] web of trust minor always 2012-03-13 23:24 2015-10-20 20:15
    Reporter: NEOatNHNG Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: fixed  
    Projection: none      
    ETA: none Fixed in Version: 2012 Q2  
        Target Version:  
    Reviewed by: dastrath, NEOatNHNG
    Test Instructions:
    Summary: Consolidate changes into the Assure Someone page
    Description: There are various changes that all have an effect on the assure someone page.

    This bug tracks the rewrite to include those changes.
    Tags: Assure Someone
    Steps To Reproduce:
    Additional Information:
    Attached Files: 6.php.patch (1,323 bytes) 2012-03-14 02:34
    http://bugs.cacert.org/file_download.php?file_id=253&type=bug
    test 22.04.2012 12-15-55.txt (193,085 bytes) 2012-04-22 10:41
    http://bugs.cacert.org/file_download.php?file_id=256&type=bug
    assurtest4b.xml (42,528 bytes) 2012-04-22 10:42
    http://bugs.cacert.org/file_download.php?file_id=257&type=bug
    test20.05.2012 19-11-55.txt (193,084 bytes) 2012-05-20 17:35
    http://bugs.cacert.org/file_download.php?file_id=259&type=bug
    Notes
    (0002876)
    NEOatNHNG   
    2012-03-14 01:07   
    Changes put onto the test server. There is at least one regression introduced by the patch (the date that determines which 0-point assurances are yellow is wrong), will fix that in the next days.
    (0002877)
    MartinGummi   
    2012-03-14 01:58   
    (Last edited: 2012-03-14 01:59)
    - New account 6php1(6.php Test)
    - Mail ping/pong
    - Automated Assurance
        # Number of points
        0 35
        1 35
        2 30
    - challenge me
    - logout/login
    - Assure Someone

    - Without ALL
    A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

    - With Location "Germany"
    A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

    I wounder automatic update Date with the same as Location
    Location: Germany
    Date: Germany

    - With Location "Germany" and Date "Germany"
    A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

    - With Location "Germany", Date "Germany" and Points 10
    A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

    - With Location "Germany", Date "Germany", Points 10 I certify that <someone> has appeared in person
    A: ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert

    - With Location "Germany", Date "Germany", Points 10 I certify that <someone> has appeared in person, I believe that the assertion of identity I am making is correct, complete and verifiable. I have seen original documentation attesting to this identity. I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute, and I may be held responsible.
    ERROR: Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS.

    - With Location "Germany", Date "Germany", NO Points, I certify that <someone> has appeared in person, I believe that the assertion of identity I am making is correct, complete and verifiable. I have seen original documentation attesting to this identity. I accept that the CAcert Arbitrator may call upon me to provide evidence in any dispute, and I may be held responsible.
    ERROR: Race condition discovered, user altered details during assurance procedure. PLEASE MAKE SURE THE NEW DETAILS BELOW MATCH THE ID DOCUMENTS.

    ERROR: You must enter the number of points you wish to allocate to this person.

    (0002884)
    NEOatNHNG   
    2012-03-21 00:13   
    Changes have been reverted from the testserver again as the fix had some bugs that prevented assure someone from working
    (0002885)
    NEOatNHNG   
    2012-03-21 00:22   
    Patch from magu has been applied on the branch. Waiting for fix for the main problem until merging again.
    (0002904)
    NEOatNHNG   
    2012-03-27 21:57   
    Dirk fixed race condition check error. Applied to test server: please test and review.
    (0002906)
    INOPIAE   
    2012-03-27 22:06   
    (Last edited: 2012-03-27 22:40)
    With a new account 100 AP and CATS passed
    Assure someone
    If you miss information the error messages are shown correct.
    But all checkboxes are empty after the error message.
    The assurance could be entered.

    Account with
    Method TTP:
    Certify: no
    Confirm assurance: no
    Confirm AP: yes
    Points: Empty
    ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
    => ok

    Certify: no
    Confirm assurance: yes
    Confirm AP: no
    Points: Empty
    ERROR: You must enter the number of points you wish to allocate to this person.
    => ok

    Certify: no
    Confirm assurance: yes
    Confirm AP: no
    Points: 35
    Entered
    => ok

    Certify: no
    Confirm assurance: yes
    Confirm AP: yes
    Points: 35
    Entered
    => ok

    Method F2F:
    Shows the same results but it should only allow the assurance if all checkboxes are set.

    Method TopUP:
    Is available should not be for TTP Admin
    Assurance could be entered with checkbox Confirm assurance only and points

    Account with Board flag
    Only F2F available
    Works as disered. see normal account above

    Account with Admin and Board flag.
    Shows TTP Admin behavior
    =>ok

    Account with 0 points
    no assurance possible
    =>ok

    Account with 50 points
    no assurance possible
    =>ok

    Account with 100 points, no CATS passed
    no assurance possible
    =>ok

    (0002907)
    INOPIAE   
    2012-03-27 22:32   
    TTP TOPUP is not available anymore for TTP Admin flag account
    (0002908)
    Uli60   
    2012-03-27 22:49   
    (Last edited: 2012-03-27 22:50)
    user1: 100 AP, 50 EP (AP incl. Thawte points)
    a. all checkboxes empty
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    b. certify yes, assertion no, AP no
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    c. certify no, assertion yes, AP no
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    d. certify no, assertion no, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    e. certify yes, assertion yes, AP no
       passes
       => ???
          Thawte points removal, revoke assurance,
          reapply (old) assurance, should be allowed with AP set to no
          ok this way
    f. certify yes, assertion no, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    g. certify no, assertion yes, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    h. certify yes, assertion yes, AP yes
       passes
       => OK

    date field will be overwritten by location text in error case and form reload

    (0002909)
    Uli60   
    2012-03-27 23:05   
    new round:
    user1: 100 AP, 50 EP (AP incl. Thawte points)
    b. certify yes, assertion no, AP no
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    h. new form with date in date field, location in location field
       certify yes, assertion yes, AP yes
       passes
       => OK
    (0002910)
    Uli60   
    2012-03-27 23:18   
    user1: 100 AP, 50 EP, ttpadmin=1, assurance method F2F
    a. all checkboxes empty
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    b. certify yes, assertion no, AP no
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    c. certify no, assertion yes, AP no
       passes
       => FAIL

    d. certify no, assertion no, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    e. certify yes, assertion yes, AP no
       passes
       => ???
          Thawte points removal, revoke assurance,
          reapply (old) assurance, ok
    f. certify yes, assertion no, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    g. certify no, assertion yes, AP yes
       passes
       => FAIL

    h. certify yes, assertion yes, AP yes
       passes
       => OK

    2 FAILURES !!
    (0002911)
    Uli60   
    2012-03-27 23:49   
    (Last edited: 2012-03-27 23:59)
    user1: 100 AP, 50 EP, ttpadmin=1, assurance method Trusted 3rd Parties
    a. all checkboxes empty
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    b. certify yes, assertion no, AP no
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    c. certify no, assertion yes, AP no
       passes, WHITE WINDOW, no response, have to re-login
       =>
       by default ok, as user didn't appear in person before TTPassurer, only
       before TTP
       => FAILURE by White Window, 2nd test, to reproduce
       2nd test
       certify no, assertion yes, AP no
       passes
       =>
       by default ok, as user didn't appear in person before TTPassurer, only
       before TTP

    d. certify no, assertion no, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    e. certify yes, assertion yes, AP no
       passes
       => ???
          Thawte points removal, revoke assurance,
          reapply (old) assurance
          can also fix old TTP assurances, ok
    f. certify yes, assertion no, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    g. certify no, assertion yes, AP yes
       passes
       =>
       by default ok, as user didn't appear in person before TTPassurer, only before TTP

    h. certify yes, assertion yes, AP yes
       passes
       => OK

    0 FAILURES

    (0002912)
    Uli60   
    2012-03-28 00:01   
    assurer, ttpadmin=1
    assure someone assurance method options are:
    Face-2-Face ok
    Trusted 3rd Parties ok
    => ok
    (0002913)
    Uli60   
    2012-03-28 00:20   
    user1: 100 AP, 50 EP, board=1, assurance method (no selection box avail -> OK), so F2F
    a. all checkboxes empty
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    b. certify yes, assertion no, AP no
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    c. certify no, assertion yes, AP no
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    d. certify no, assertion no, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    e. certify yes, assertion yes, AP no
       passes
       => ???
          Thawte points removal, revoke assurance,
          reapply (old) assurance, ok for this
       view my points, new calculation
       assurance is entered, but assurance method is <empty>
       error reproduced, see also bug#855 report
       => FAIL

    f. certify yes, assertion no, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    g. certify no, assertion yes, AP yes
       ERROR: You failed to check all boxes to validate your adherence to the rules and policies of CAcert
       => OK
    h. certify yes, assertion yes, AP yes
       passes
       =>
       view my points, new calculation
       assurance is entered, but assurance method is <empty>
       error reproduced, see also bug#855 report
       => FAIL

    2 FAILURES !!
    (0002934)
    Uli60   
    2012-04-17 21:43   
    user 100 pts, cats passed

    f2f assurances, checkbox settings:
    000 failure => ok
    x00 failure => ok
    0x0 failure => ok
    00x failure => ok
    xx0 passed => ok
    x0x failure => ok
    0xx failure => ok
    xxx passed => ok
    (0002935)
    Uli60   
    2012-04-17 21:50   
    user 150 pts, cats passed

    f2f assurances, checkbox settings:
    000 failure => ok
    x00 failure => ok
    0x0 failure => ok
    00x failure => ok
    xx0 passed => ok
    x0x failure => ok
    0xx failure => ok
    xxx passed => ok

    mypoints => ok
    newcalc => ok
    (0002936)
    Uli60   
    2012-04-17 22:02   
    user 150 pts, cats passed, ttpadmin=1

    f2f assurances, checkbox settings:
    000 failure => ok
    x00 failure => ok
    0x0 passed => failure
    00x failure => ok
    xx0 passed => ok
    x0x failure => ok
    0xx passed => failure
    xxx passed => ok

    mypoints => ok
    newcalc => ok

    2 Failures
    (0002937)
    INOPIAE   
    2012-04-17 22:05   
    (Last edited: 2012-04-17 22:17)
    First test:
    User with following flags:
    SE on
    CS on
    TTP on
    Board off
    Location on
    TVerfiy off

    Test 1
    certify off
    location empty
    date empty
    method TTP
    assertion on
    AP off
    points 200
    Assurance with 200 points entered => failure with points

    Test 2
    certify on
    location empty
    date empty
    assertion on
    Method F2F
    AP on
    points 200
    Assurance with 200 points entered => failure no 200 no location

    see 1032

    (0002953)
    INOPIAE   
    2012-04-22 10:39   
    (Last edited: 2012-04-22 10:43)
    I tested with my automated test system with the following account settings:
    1. 80 points, no CATS, no flags
    2. 80 points, CATS, no flags
    3. 100 points, no CATS, no flags
    4. 100 points, CATS, no flags
    5. 102 points, CATS, no flags
    6. 150 points, CATS, no flags
    7. 150 points, CATS, TTP admin

    The test case are in assurtest4b.xml. At the end of each section there is location set to one blank (" ").

    Single results see attached file test 22.04.2012 12-15-55.txt
    The three reported errors are due to the missing preconditions for the assurances for accounts 1-3.
    All other tests were OK.
    => PASSED under the condition that as TTP there is no distinction between F2F and TTP and for TTP the requirements are assertion set and points given.

    (0002992)
    NEOatNHNG   
    2012-05-08 23:06   
    After some fixes by Dirk I have reviewed the changes and found them acceptable. Please retest.
    (0002997)
    NEOatNHNG   
    2012-05-20 17:18   
    After a hint from Marcus I corrected a regression that results in the form always showing that you have not checked enough boxes. Please test and re-review
    (0002998)
    INOPIAE   
    2012-05-20 17:40   
    I tested with my automated test system with the following account settings (new accounts):
    1. 80 points, no CATS, no flags
    2. 80 points, CATS, no flags
    3. 100 points, no CATS, no flags
    4. 100 points, CATS, no flags
    5. 102 points, CATS, no flags
    6. 150 points, CATS, no flags
    7. 150 points, CATS, TTP admin

    The test case are in assurtest4b.xml. At the end of each section there is location set to one blank (" ").

    Single results see attached file test20.05.2012 19-11-55.txt
    The three reported errors are due to the missing preconditions for the assurances for accounts 1-3.
    All other tests were OK.
    => PASSED under the condition that as TTP there is no distinction between F2F and TTP and for TTP the requirements are assertion set and points given.

    I also did a few manual tests.
    When doing the first assurance the current date prefilled into the date field.
    For the next assurance it stays.
    If I change the date to another value and do a third assurance the date from the last assurance is prefilled. => OK
    (0003000)
    INOPIAE   
    2012-05-22 23:23   
    Please do the final review and tell Michael to move it to production.
    (0003003)
    NEOatNHNG   
    2012-05-22 23:31   
    Fixed another regression in today's Software Assessment meeting and adjusted the explanation for the now pre-filled date field. The two tests above already took that into account.

    Please do a second review
    (0003024)
    NEOatNHNG   
    2012-05-29 22:18   
    (Last edited: 2012-05-29 22:19)
    Patch has been reviewed by dirk the Software Assessment meeting. Mail will be sent to critical admins.

    (0003025)
    wytze   
    2012-05-30 17:52   
    The patch has been installed on the production server on May 30, 2012. See also:
    https://lists.cacert.org/wws/arc/cacert-systemlog/2012-05/msg00004.html
    (0003814)
    Uli60   
    2013-03-12 22:37   
    apply new assurance methode TTP (starting 2013)
    (0003815)
    Uli60   
    2013-03-12 22:40   
    updates under 0001112 requires update on points counts calculation
    for new assurance method TTP-assisted-assurance (new program starting 2013)


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    920 [Main CAcert Website] account administration major always 2011-04-10 23:52 2015-10-20 20:15
    Reporter: Uli60 Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs work Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: Ted, NEOatNHNG
    Test Instructions:
    Summary: error "First and/or last names were blank." conflicts with International Requirements (eg Indonesian Names (Givenname only))
    Description: https://lists.cacert.org/wws/arc/cacert/2011-04/msg00009.html
    https://lists.cacert.org/wws/arc/cacert/2011-04/msg00010.html
    https://lists.cacert.org/wws/arc/cacert/2011-04/msg00011.html
    https://lists.cacert.org/wws/arc/cacert/2011-04/msg00012.html
    Tags:
    Steps To Reproduce:
    Additional Information: [BH] A friend of mine is Indonesian and she has two names with none of them
    is a family name. All her siblings have two totally different names. Her
    father has only one single name. If they want to open up a CAcert
    account [1], they won't be able, since you need to key in a first and a
    family name.
    So I checked the "Practice on Names" Page [2] but could not find any
    transition. On Wikipedia [3] I read some interesting information how
    countries deal with this issue: Either they use a place holder (LNU [4]
    (US), Onbekent (NL)) or they double the the given name and use it than
    both as first and family name. In Indonesia, official documents only
    contain the names given to a person.

    [IG] You're probably all aware by now (from ATEs :) of the impact of Assurance Policy's Assurance Statement which creates a balance between the member *in the community* ,and the labels (names) attached *to that member* . This document envisages that western naming conventions and legal assumptions are not universal and may not even be translatable outside the European tradition.

    In short there is no difficulty from a policy perspective moving to two given names rather than first & last name.

    Implementation however is a different story. The BirdShack team took the view that the name (implementation) field should be a single long string rather than dividing up into first, middle, last, pre-title, post-title, and variations. Then, AP establishes the need for multiple names, so variations are simply additional long strings, and an assurance will award Assurance Points over each long string individually.

    Probably what will happen in the future is that the BirdShack idea of one long name string will be incorporated into current software at the same time as the (big) multiple names patch goes through. But that's an issue for Software Team to work through... In their time. Help there is always welcome :)
    Attached Files:
    Notes
    (0002521)
    INOPIAE   
    2011-09-26 10:59   
    (Last edited: 2011-09-26 18:14)
    Solution could be in Line 432 of ../index.php
    exchange "||" to "and"
    If($_SESSION['signup']['fname'] == "" and $_SESSION['signup']['lname'] == "")

    May be the error message in 435 should be adjusted as well, but here I think we could leave the old one for the time being.

    In this case the error only occurs if both fields (first name and last name) are empty. This should cover all problems with haveing just one name or an artists name.
    The Practice on Names and may be the AP needs to be adjustetd.

    (0002582)
    Ted   
    2011-10-08 11:16   
    Made some modifications in PracticeOnNames to clarify procedure if no "family name" can be identified.

    It already allows names consisting of a single part, see the example "Bushido".
    (0002583)
    Ted   
    2011-10-08 11:26   
    For simplicity of code I'd say that a single name should go into the lname field, regardless whether it is a given or family name, and the error message should be adjusted correspondingly.

    New branch bug-920 created, proposed fix checked in and installed on testserver.
    (0002584)
    Ted   
    2011-10-08 11:35   
    (Last edited: 2011-10-08 12:04)
    Did some quick tests, seems to work as intended:

    - Used "Join" on startpage
    - All names empty: Error "Last name is blank. If your name consists only of a single part please use the last name field." ==> OK
    - Only first name filled out: "Last name is blank. If your name consists only of a single part please use the last name field." ==> OK
    - Only last name filled out: Accepted (account bernhard.froehlich@convey.de) ==> OK

    - Logged in as Assurer
    - Assured account bernhard.froehlich@convey.de
    - Checked "My Points", "Assurances you issueed": Target account shown as "Ted" ==> OK

    (0002597)
    alex   
    2011-10-12 22:53   
    I know this scenario of indonesian names and indeed the given information is correct.

    Place holders like "LNU" (probably Last Name Unknown) or "Onbekent" (NL) are not helpful since the name actually consists of only one name. It is different from the identification that some part is unknown. Even worse the scenario to double the name. We will have difficulties in the future when we merge the names to just one string which is - in my opinion - the best solution in this case.

    Please check what is filled in into first name field e.g. in Teds case. In my opinion only valid solution is first name must be blank. Then it may be ok, if currently not 100% correct - column is called "last name" - but future-proof.
    (0002610)
    Uli60   
    2011-10-19 23:45   
    (Last edited: 2011-10-19 23:59)
    please read the original report =>
    Indonesian Names => Givenname only
    so moving Givenname into the Surname field is not an option
    a givenname is a givenname is a givenname
    and not a surname or lastname (!)

    To prioritize givenname or lastname from German PoV is to give the lastname higher priority, but moving to the common world PoV the givenname becomes higher priority (see sorting order in email systems)
    A German IT admin writes "Cock, Thomas", an US IT admin writes "Thomas Cock"
    CAcert is based on common law and is based on an international standard, so the first givenname, 2nd lastname variant is the more precise variant that should be followed.

    AO

    (0002618)
    NEOatNHNG   
    2011-10-20 19:20   
    I have reviewed the changes an they're acceptable per se. There is at least one place where an email starts with "Hi $fname," which will then become "Hi ," but I think that's about acceptable. However there might be more critical places I have overlooked, this needs thorough testing.

    Regarding giving the last name more priority than the first name: The sorting order depends highly on your personal feelings and changes heavily from company to company even within countries. AFAIK it's more common to call each colleague by their first name except your boss/higher management that's why often sorting by first name makes sense. Your mileage may vary by the formality of the context.

    In western cultures I think there is no exception that when the context is more formal preference is given to the last name. For example you would always say "Mr. Doe" (e.g. for a teacher) "Prof. Dr. Knuth" and "President Obama" or "Chancellor Merkel" instead of "Mr. John", "Prof. Dr. Donald Ervin", "President Barack" or "Chancellor Angela".

    Apart from that, the point that a given name is a given name and we maybe shouldn't mix those up may still hold. In that case we could just specify that at least one of them has to be given (there might be countries with only last names) and let the assurers figure out the rest for us. I haven't looked into whether this would cause major problems if the last name is missing somewhere in the system however.
    (0002620)
    Uli60   
    2011-10-20 20:48   
    (Last edited: 2011-10-20 21:34)
    create new user:
    Givenname:
    Lastname: Indonesianboy
    email: bug920.user1@
    ca-mgr1: set assurer challenge, batch assurance 25 times
    login to user bug920.user1@
    my details
     - enable my listing
     - location: setting Frankfurt
     - my points: 25 assurances done
    logout, login to another user
    WoT find assurer:
    results in: I

    create new user:
    Givenname: Indonesianboy
    Lastname:
    email: bug920.user2@
    results in error
    Last name is blank. If your name consists only of a single part please use the last name field.

    => fail from my PoV

    references to read:
    http://en.wikipedia.org/wiki/Given_name
    http://en.wikipedia.org/wiki/Mononym#Countries_where_mononyms_are_normal
    http://en.wikipedia.org/wiki/Surname


    login bug920.user1@
    100 assurance points, 50 experience points

    new client cert
    does not allow to select a name => No Name
    E = bug920.user1@...
    CN = CAcert WoT User
    => fail

    Email rcvd:
    -------------------------------------------------------------------------
    Hi ,

    You can collect your certificate for bug920.user1@... by going to the following location: ...
    -------------------------------------------------------------------------

    (0002704)
    Ted   
    2011-11-17 23:04   
    So, what's the proposal? Should a single name go into fname or is the user free to choose?

    BTW, it's hard for me to see the relevance, since on the CAP form, as well as in the Assurance web application it's not possible for an Assurer to decide if a single name is entered in the fname or the lname field!

    I'd accept Michael's point that using fname as the compulsary field will save us some (minor) problems elsewhere.
    (0002705)
    INOPIAE   
    2011-11-19 07:59   
    I just tested the creation of a new user with a single name:
    Only first name entered => Error message => OK
    Only last name entered => Account created => OK

    TMS Granted 50 points
    Try to create a new certificate, no choice to choose name for certificate
    Changed as SE to only first name => accepted => should not be allowed
    Try to create a new certificate, no choice to choose name for certificate
    Changed as SE to first and last name
    Try to create a new certificate, choice for name is given

    Try to create an account where first and last name are the same => account created
    Should in this case not at least an notification that both entries are the same. I am not quite sure if there is the posibility to hav ethe same first and last name. I know under German law it is not allowed but that not international.

    What should be done if we change to any proposal to allow just one name is to point out the users, where to place the single name and that he is only allowed to enter personal data and not company names.
    (0002812)
    Uli60   
    2012-01-30 23:37   
    documentation from Software-Assessment project team meetings Dec 2011, Jan 2012

      1. [[https://bugs.cacert.org/view.php?id=920|bug 0000920]] Join - single name only (eg Indonesian)
       * details under bug number
       * presented to Policy Group
       * first results from policy group?
        * dirk has made some changes in 6.php last year
        * there are 4 possible choices:
         1. givenname
         1. lastname (as current fix)
         1. givenname or lastname
         1. brians proposal, mononym + checkbox
        * dirks proposal:
         * make name handling more AP conform (1 line names, multiple names)
        * 2 possible paths:
         1. allow multiple names (dirks proposal) is massive change (long term change)
         1. "simple" solution (short term change)
        * global re-design
         * eg users view
         * 43.php, multiple views
    (0002813)
    Uli60   
    2012-01-30 23:39   
    # dirk has made some changes in 6.php last year
    # there are 4 possible choices:

       1. givenname
       2. lastname (as current fix)
       3. givenname or lastname
       4. brians proposal, mononym + checkbox

    # dirks proposal:

        * make name handling more AP conform (1 line names, multiple names)

    # 2 possible paths:

       1. allow multiple names (dirks proposal) is massive change (long term change)
       2. "simple" solution (short term change)

    # global re-design

        * eg users view
        * 43.php, multiple views


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    988 [Main CAcert Website] web of trust feature N/A 2011-09-30 12:29 2015-10-20 20:14
    Reporter: Uli60 Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: BenBE
    Test Instructions:
    Summary: TTP CAP form deployment
    Description: current deployment of TTP-assisted-assurance process
    defines that ttp-assuree sends a request for ttp-assisted-assurance
    to support@c.o that gets moved into the ttpadmins queue or forwarded
    into ttpadmins mailing list
    one of the appointed ttpadmins picksup the request and prepares
    a ttpcap form given by the users email address (to be the
    ttp-assurees primary email address of the yet created user account)

    the info from assuree + infos about ttpadmin (postal address) will be inserted into the ttpcap form and offered to be printed to pdf by the ttpadmin
    ttpadmin sends the prepared pdf ttpcap form to the requesting assuree
    who now prints out the pdf and visits a TTP
    the TTP now sends the prepared and filled out ttpcap to the postal address given with the ttpcap form
    the ttpcap received by the ttpadmin is now the basis of the ttp-assisted-assurance

    Tags:
    Steps To Reproduce:
    Additional Information: the proposed procedure has some advantages and some disadvantages
    advantages:
     - the country of the user can be checked (ttp allowed country?)
     - the user account can be checked against existing ttp assurances
       (2nd, 3rd ttp-assisted assurance?) and the process can automaticly
       can display warnings to the ttpadmin if the requirements aren't fulfilled
     - the users data is inserted into the ttpcap as entered into the
       CAcert online account including used primary email address
     - process does not need a check by the TTP to request for the primary email
       address of the user

    disadvantage:
     - users data (name, dob, primary email) is disclosed to the ttpadmin
       before the assurance process starts (request for assurance is only given
       by email, not signed on paper at this stage of the process)
       signed paper will be later received by the ttpadmin

    Attached Files: bug988-20111001.zip (65,210 bytes) 2011-10-01 14:37
    http://bugs.cacert.org/file_download.php?file_id=243&type=bug
    Notes
    (0002562)
    Uli60   
    2011-10-01 14:43   
    (Last edited: 2011-10-01 14:55)
    sneak preview (case study) for ttpcap deployment
    (includes current changes related to wot.php and account.php active on testserver)
    to be used on a local developers testserver image only
    /includes/account_stuff.php
      that replaces a) ttp info -> /pages/wot/4.php
      that adds new submenue under WoT b) ttpcap -> /pages/wot/16.php
      links

    ttpcap preparation:
    starts in
    /pages/wot/16.php
      transfers to
    /pages/wot/17.php
      and continues in
    /www/wot.php
      and finishes with
    /www/ttpcap.php (includes(/www/ttpcapus.php)

    helper functions from:
     /includes/account.php
     /includes/wot.inc.php

    multiple ttp assurance methods I've added for debugging purpose only
    "TTP assisted assurance #1", "TTP assisted assurance 0000002", "TTP assisted assurance #n", "TTP TOPUP"
    for production method has to be limited to
    "TTP assisted assurance" and "TTP TOPUP" (or similiar naming) only

    (0003922)
    INOPIAE   
    2013-04-26 08:05   
    I applied a fix to the github:
    https://github.com/INOPIAE/CAcert/commit/1cd4426c33f0a624a7c652e69f9ead156bd35764
    (0004317)
    INOPIAE   
    2013-09-14 12:10   
    I applied a new fix to https://github.com/INOPIAE/CAcert/commit/2663878967145d97ab2178fbdea69a92b246aef2
    (0004320)
    INOPIAE   
    2013-09-14 16:55   
    I applied a new fix to https://github.com/INOPIAE/CAcert/commit/a188b3b6a45b9ed44c571ccd079753546a2317c3
    (0004325)
    INOPIAE   
    2013-09-14 21:27   
    I applied a new fix to https://github.com/INOPIAE/CAcert/commit/3d413c4275e8ae070bbad57c484a09d35265064d
    (0004339)
    Uli60   
    2013-09-17 22:28   
    login assurer with TTPadmin flag set
    step 1:
    - WoT - Assure Someone
    at bottom of page: show TTP CAP details
    opens new page -> ok

    (instructions for TTP admins under
    https://wiki.cacert.org/TTP/TTPadmins#task1 created)

    fill lines1..lines5 with full postal address (incl. name!) -> ok
    select country the assuree comes from -> currently 4 -> ok
    click [create TTP CAP pdf file]
    => ok

    PDF: page 1 - full addr -> ok
    => ok

    page 2: CAcert postal addr -> ok
    root cert fingerprints -> ok
    line 7. text -> (http://www.cacert.org/policy/CAcertCommunityAgreement.php)
             plz change to .html (according to bug 1131)
    => one minor fix required

    page 3:
    line 1: Cacert.org (lower a -> upper A) => typo
    line 3: same => typo

    top 4 ... As the Practice on Names policy ...
            PoN is a guide / document

    top 17 inster => insert (typo)
    => minor typos

    page 4 (CCA)
    CAcert postal addr -> ok
    roots fingerprints -> ok

    page 6 (CCA cont. (cca page 3))
    CPS link .php -> .html (according to bug 1131)
    DRP link .php -> .html (according to bug 1131)
    Privacy Policy wrong link file:///C|/Tmp/PrivacyPolicy.html
              should be: http://www.cacert.org/policy/PrivacyPolicy.html
    Principles link -> ok
    => 3 links to correct
    (0004341)
    INOPIAE   
    2013-09-20 06:12   
    (Last edited: 2013-09-20 06:29)
    added new fix to github https://github.com/INOPIAE/CAcert/commit/8fbe6786693a471a789483ff9280525c30ff2ee4
    It only fixes the WebDB side not the pdf creation.

    (0004342)
    INOPIAE   
    2013-09-20 14:44   
    Comment to https://bugs.cacert.org/view.php?id=988#c4339
    All information from page 4 onwards are created from the orginal CCA document on the server. So changes can be negleted in this bug.
    (0004350)
    Uli60   
    2013-09-24 16:00   
    http://bugs.cacert.org/view.php?id=988#c4342 statement is wrong !
    the
    page 6 (CCA cont. (cca page 3))
    CPS link .php -> .html (according to bug 1131)
    DRP link .php -> .html (according to bug 1131)
    Privacy Policy wrong link file:///C|/Tmp/PrivacyPolicy.html [^]
              should be: http://www.cacert.org/policy/PrivacyPolicy.html [^]
    Principles link -> ok

    problem is a problem of bug 988 as the original
    http://cacert1.it-sls.de/policy/CAcertCommunityAgreement.html
    still has

    link 1:
    orig cca: https://www.cacert.org/policy/CertificationPracticeStatement.html
     -> ok
    pdf cca: http://www.cacert.org/policy/CertificationPracticeStatement.php
     -> not ok

    link 2:
    orig cca: https://www.cacert.org/policy/DisputeResolutionPolicy.html
     -> ok
    pdf cca: http://www.cacert.org/policy/DisputeResolutionPolicy.php
     -> not ok

    link 3:
    orig cca: https://www.cacert.org/policy/PrivacyPolicy.html
     -> ok
    pdf cca: file:///C:/Temp/PrivacyPolicy.html
     -> not ok

    link 4:
    orig cca: https://svn.cacert.org/CAcert/principles.html
     -> ok
    pdf cca: http://svn.cacert.org/CAcert/principles.html
     -> ok

    => needs work
    (0004351)
    INOPIAE   
    2013-09-24 19:11   
    (Last edited: 2013-09-24 19:12)
    Comment to https://bugs.cacert.org/view.php?id=988#c4350

    As stated before in https://bugs.cacert.org/view.php?id=988#c4342
    All information from page 4 onwards are created from the orginal CCA document on the server. So changes can be negleted in this bug.
    So the problem with the links needs to be solved by exchanging the CCA document on the server and not as part of this bug fix.

    (0004355)
    Eva   
    2013-09-24 22:14   
    I got to the "assure someone"-page with an TTP-assurer-acc on an assuree-acc that had 0 assurance points and 0 assurances.

    I got the option to assure someone face-to-face or TTP-assisted.
    Below the assurance-formular appears a link "Show TTP details".

    The link shows a formular with information about the ttp- and total assurance and experience points of the assuree (the label there is wrong, but that does not affect the precess which should be testet here).

    Below there is a table with the personal informations of the Assuree and a drop-down-menu to select a country.

    Afterwards there are 5 lines for the address of the assurer, followed with a button to create a TTP CAP pdf file (I would use some "-" in this label).

    The button creates a pdf files with the above information integrated at the correct points.

    I did not test the rest of the pdf file.

    However I tried to enter a bunch of different symbols in the address-fields. Most of them were added correctly to the pdf-file.

    Some very curious and a symbol from the cyrilic-tabel were not shown correctly.
    The Symbols I could not read in the PDF were: ṸḘᵆᴭѢƣ
    However they appeared marked as unwriteble symbols.

    Below the button to create the pdf-file was a back-button wich brought me back to the correct aussurance-page.

    I chose "TTP-Assisted", filled in a location and checked the boxes but the "I believe ..." box and added 35 points.

    Above the box I skiped there is a text, that I should only check it, if the Assurance was face to face.

    When I tried to confirm the assurance I got an error message that I need to check all boxes.

    When I had checked all boxes, the assurance was accepted.

    !!!!!
    !!!Everytime the page was left (or an error-message was added), the dropdown-menu for TTP Assured was reset to Face to Face Meeting.!!!
    This ist very annoying and something that is due to create wrong assurances, even if it is no fail for this test.
    !!!!!

    Afterwards the assurance showed as TTP-Assisted in
    - the points overview of the assurer
    - the list of assurances got by the assuree
    - the list of assurances given by the assurer.

    The assurer got a mail about the assurance (TTP was not mentioned).
    The assuree got a mail about the assurance (TTP was not mentioned).
    ==> ok


    I tried the same on an account with 1 face to face and 1 ttp assurence with 70 points total.
    The points were displayed correctly, and I got the same results (respectively). I did not check the mail of the assuree.
    ==> ok

    I tried the same on an account with 2 ttp assurances and 70 points total.
    I could not print the pdf-file, everything else was the same as above.
    ==> ok

    I tried the same on an account with 2 face to face and 1 ttp assurance with 100 points total.
    I got the same results as with the last one.
    ==> ok

    I tried the same on an account with only face to face assurances with 100 points total.
    I got the same results as with the last one.
    ==> ok


    Overall: ok
    (However it would be nice, if the drop-down menu would not reset all the time.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1043 [Main CAcert Website] source code minor have not tried 2012-05-31 03:51 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version: 2012 Q2  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by: BenBE
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./stamp/common.php
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    There are no notes attached to this issue.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1061 [Main CAcert Website] source code minor have not tried 2012-05-31 04:05 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version: 2012 Q2  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version: 2015 Q2  
    Reviewed by: BenBE
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./CommModule/usbclient.pl
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005247)
    felixd   
    2015-01-20 21:07   
    The code was old, and can be deleted:
    https://github.com/yellowant/cacert-devel/commits/bug-1061
    (0005378)
    Eva   
    2015-04-21 19:30   
    please add test instructions if this has to / can be tested.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1046 [Main CAcert Website] source code minor have not tried 2012-05-31 03:55 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./scripts/cron/updatesort.php
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005377)
    felixd   
    2015-04-14 20:28   
    A fix for the code (that was moved in the meantime) is here:
    https://github.com/yellowant/cacert-devel/commits/bug-1046


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1062 [Main CAcert Website] source code minor have not tried 2012-05-31 04:05 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./CommModule/client.pl
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005376)
    felixd   
    2015-04-14 19:36   
    A fix is here: https://github.com/yellowant/cacert-devel/tree/bug-1062


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1060 [Main CAcert Website] source code minor have not tried 2012-05-31 04:04 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./pages/wot/1.php
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005374)
    felixd   
    2015-04-07 20:47   
    Fix is available here: https://github.com/yellowant/cacert-devel/commits/bug-1060


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1059 [Main CAcert Website] source code minor have not tried 2012-05-31 04:03 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./pages/wot/9.php
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005373)
    felixd   
    2015-04-07 20:41   
    A fix is here: https://github.com/yellowant/cacert-devel/commits/bug-1059


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1058 [Main CAcert Website] source code minor have not tried 2012-05-31 04:03 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./pages/account/55.php
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005372)
    felixd   
    2015-04-07 20:37   
    a fix is here: https://github.com/yellowant/cacert-devel/commits/bug-1058


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1057 [Main CAcert Website] source code minor have not tried 2012-05-31 04:02 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./pages/account/52.php
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005371)
    felixd   
    2015-04-07 20:29   
    In bug https://bugs.cacert.org/view.php?id=1355 this file will be removed.


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1055 [Main CAcert Website] source code minor have not tried 2012-05-31 04:01 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./includes/lib/account.php
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005369)
    felixd   
    2015-04-07 20:13   
    Fix is here: https://github.com/yellowant/cacert-devel/commits/bug-1055


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1053 [Main CAcert Website] source code minor have not tried 2012-05-31 04:00 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version:  
        Target Version:  
    Reviewed by:
    Test Instructions:
    Summary: Review the code regarding the new point calculation in ./includes/account.php
    Description: Check if the point calculation is adjusted according to the new points calculation.
    Tags:
    Steps To Reproduce:
    Additional Information:
    Attached Files:
    Notes
    (0005367)
    felixd   
    2015-04-07 19:18   
    A fix (dependent on the one for www/index.php) is available here:
    https://github.com/yellowant/cacert-devel/commits/bug-1053


    View Issue Details
    ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
    1052 [Main CAcert Website] source code minor have not tried 2012-05-31 03:59 2015-10-20 20:14
    Reporter: INOPIAE Platform:  
    Assigned To: Eva OS:  
    Priority: normal OS Version:  
    Status: needs review & testing Product Version:  
    Product Build: Resolution: open  
    Projection: none      
    ETA: none Fixed in Version: