Last modified: 2013-03-16 23:22:09 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T48189, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 46189 - OpenID consumer when authenticating an https://OpenID - allow untrusted CA (e.g. for self-signed certificates) per-OpenID-provider, or per-user
OpenID consumer when authenticating an https://OpenID - allow untrusted CA (e...
Status: RESOLVED WONTFIX
Product: MediaWiki extensions
Classification: Unclassified
OpenID (Other open bugs)
master
All All
: Normal enhancement (vote)
: ---
Assigned To: T. Gries
:
: 45956 (view as bug list)
Depends on: 45324
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-16 11:46 UTC by T. Gries
Modified: 2013-03-16 23:22 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description T. Gries 2013-03-16 11:46:20 UTC 
see also bug 45324 .

The implementation would require a user_openid table schema change, so that an additional column uoi_openid_ignore_certificate_check can be added and can be set to "1". (per user).

"per-OpenID provider" would either require 

+ an additional database table openid_providers which save their properites including whether not to ignore certificate checks; or
+ hard-coding the value for the preprogrammed providers. 

A setting (checkbox "ignore certificate checks") for manually entered OpenIDs must be added on the Login and Convert panels.
Comment 1 T. Gries 2013-03-16 13:03:02 UTC 
add to the the per-openid provider and/or per-user solution;

+ show OpenID provider's fingerprint
+ store fingerprint if user accepted
+ alert, if during the next authentication the current and stored fingerprints differ
Comment 2 T. Gries 2013-03-16 13:22:12 UTC 
see https://sourceforge.net/p/curl/feature-requests/69/
Comment 3 T. Gries 2013-03-16 13:51:03 UTC 
SHA-1 example for OPENSSL (tested)

echo -n | openssl s_client -connect www.google.org:443 2>/dev/null | sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p" | openssl x509 -fingerprint -sha1 -noout

results in output:

"SHA1 Fingerprint=15:23:B4:8F:71:6F:E7:88:55:17:58:19:F3:D4:C0:59:8A:07:73:44"


see http://serverfault.com/questions/139728/how-to-download-ssl-certificate-from-a-website

Example for GNUTLS (untested):

The GNUTLS client tool, gnutls-cli, can also make this easy:

gnutls-cli --print-cert www.example.com < /dev/null > www.example.com.certs

The program is designed to provide an interactive client to the site, so you need to give it empty input to end the interactive session.
Comment 4 T. Gries 2013-03-16 14:20:10 UTC 
*** Bug 45956 has been marked as a duplicate of this bug. ***
Comment 5 T. Gries 2013-03-16 16:08:29 UTC 
Here's a simple cert viewer in PHP https://github.com/Wikinaut/MySimpleCertViewer
Comment 6 T. Gries 2013-03-16 23:22:09 UTC 
closed after discussion with Ryan ("there's never a good reason to allow insecure checking")
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links