Last modified: 2013-03-17 17:06:33 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T47324, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 45324 - [SSL] OpenID consumer when authenticating an https://OpenID: show a distinct verification error message in case of host verification failures (e.g. certificate or CA problems)


Summary:	[SSL] OpenID consumer when authenticating an https://OpenID: show a distinct ...

Status:	RESOLVED WONTFIX

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	OpenID (Other open bugs)
Version:	master
Hardware:	All All

Importance:	Normal normal (vote)
Target Milestone:	---
Assigned To:	T. Gries

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	46189
	Show dependency tree / graph

Reported:	2013-02-24 10:15 UTC by T. Gries
Modified:	2013-03-17 17:06 UTC (History)
CC List:	2 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description T. Gries 2013-02-24 10:15:39 UTC

OpenID consumer when authentication an https://OpenID: show a distinct verification error message in case of untrusted (e.g. self-signed) CA

Currently, you see only the general message "Verification error", even when the consumer wiki knows that the CA is untrusted.

Inform the user that the verification failed because the OpenID server uses an untrusted (e.g. self-signed) certificate.


Additional improvements:

+ allow to show the server certificate fingerprints (sha-256, sha-1, md5) (must have)
+ allow to overwrite the single CA error(warning) and accept even an untrusted OpenID on extra user action. (nice to have for testing)

Comment 1 T. Gries 2013-03-16 09:53:07 UTC

Just for the record: logfile looks like

[error] Got no response code when fetching https://provider/phase3/index.php/User:Username, referer: http://consumer/index.php/Spezial:OpenID-Umwandlung

[error] CURL error (60): SSL certificate problem, verify that the CA cert is OK. Details:\nerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, referer: http://consumer/index.php/Spezial:OpenID-Umwandlung

Comment 2 T. Gries 2013-03-16 11:01:03 UTC

*** this is not yet a proposed patch ***

see http://www.php.net/manual/de/function.curl-setopt.php for curl options

ad-hoc possibility to disable host certificate checks https://gerrit.wikimedia.org/r/#/c/54123/1 :

in OpenID.php, or in your LocalSettings.php (after including the extension) add

/**
 * When this wiki is used as consumer:
 *
 * Whether OpenID https://provider-host certificates are checked (default)
 *
 * true enables SSL Certificate check
 * this is the default even when the define statement is missing
 *
 * set to false if you want to disable SSL Certificate check
 * this can only by useful for testing with self-signed certificates
 */
define( 'Auth_OpenID_VERIFY_HOST', true );

In a forthcoming version of the extension this can be part of new settings per-provider.

Comment 3 T. Gries 2013-03-16 14:19:30 UTC

+ http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/

Comment 4 T. Gries 2013-03-17 17:06:33 UTC

I analysed the issue and found that it is an "upstream" problem of the php-openid library. The problem is not jeopardizing the security.

The distinct verification error message can only be shown, when the underlying php-openid library includes my patch which is sent as https://github.com/openid/php-openid/pull/92 .

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links