konqueror does not accept SSL certificates "forever"

Lynoure asked me to test this on my edgy system. It does the same thing for me as it did on her feisty system.

Steps to reproduce:
 1. Go to a site than has an incorrect SSL certificate
 2. You get "The IP address of the host example.net does not match the one the certificate was issued to." Choose "Continue".
 3. You get "Would you like to accept this certificate forever without being prompted?" Choose "Forever".
 4. Leave the site.
 5. Come back after over an hour.
Expected result: Konqueror should accept the certificate without complaint.
 Actual result: Konqueror asks those questions again.

Yes, Lynoure asked me to test this as well, and yeah, it's true. After one hour, and revisiting the site, Konqueror will ask you what to do with the certificate "forever" or "current seeion only" so yeah. BUG!

Thanks for your report. I have tried to reproduce this bug without success. Please say if this problem happens currently with one or more specific websites. Remind to not disclose confidential information because reports are public. Thanks.

This is for many sites...
I've tested it on 3 more sites, all different, both edgy and feisty. same thing.

Please give an example of site if possible. Thanks.

E.g. https://lynoure.org/blog
That's the only one I remember at the moment, but I'll happily test with any other one too.

I have reproduce your problem with that site. But the bug seems limited to certain SSL certs and doesn't happen always.

In this specific case, Konqueror doesn't ask nothing when you type https://www.lynoure.net/blog/ but requires SSL confirmation when you type https://lynoure.org/blog. In my opinion, it's a right security restriction because the certificate is released for the first address and Konqueror thinks that is an unhauthorized use by the other address (in this case it's wrong but may happen).

I don't know if you have other similar problem, but feel free to report here. Thanks.

The bug is not about it asking for confirmation when it first encounters an invalid certificate. Asking that confirmation is right and good. It is about konqueror asking if it should accept the certificate Forever and when told to do that, only keeping it for an hour. An hour is hardly even close to forever.

If you tested with other sites with invalid (or expired) certificates and could get konqueror to accept those certificates forever, could you tell urls to them, so I can test with those sites too?

This for example http:://studiare.unife.it has an incorrect certificates but when you click forever doesn't require anymore confirmation (at least in my Pc).
May be I don't explain well in my previous post. In this specific case, according to me Konqueror doesn't recognize the certificates previouvsly accepted forever because the user submits a different address (https://lynoure.org/blog and not https://www.lynoure.net/blog/)

Thanks again.

No, on all times I submitted same address, https://lynoure.org/blog . It should not offer to accept the certicate forever if it will not indeed do that forever.

I just tried you school site now, so it I will report about that after that hour has passed.

Indeed, it seemed to accept the certificate of your school permanently. So it seems Konqueror makes a difference between certificates that do not match the domain name and self-signed certificates.

I still think this is a bug. If you disagree, could you tell me what Konqueror should do after it has offered to accept the certificate forever? If not accept it forever, it should not even offer to do that (and thus require an extra click). If it deems name-mismatched certificates too insecure to be accepted forever, maybe it should not accept them at all, or at least say "name mismatch, only accepting for this session" instead of requiring the user to choose between options that will not be honored anyway.

For me this bug is one of the only reasons I have not retired Firefox yet and gone 100% konqueror.

Confirmed due to mismatch between labels and effective behaviour. Thanks again for your report.

Possibly related (should I open a new issue for this?) I usually keep a Konqueror window between sessions with several tabs pointing to the same (company internal) website with a currently invalid certificate. Since upgrading to the Gutsy RC (may not be related), Konqueror has started asking me whether to accept the certificate or not for each open tab, although I always answer "for the rest of this session".

I have confirmed in my own testing using Hardy that this bug still exists. Konqueror offers to keep a certificate exception forever, but saves it in ksslpolicies for only one hour.

You can even edit the exception in "Cryptography Configuration" -> "Peer SSL Certificates" tab, and change it to "Forever". But the moment you reload the page, it changes it back to a one-hour timeout!

I would like the ability to make an exception permanent, even in the case of domain mismatch. Shared SSL is still more common than phishing, and I'm smart enough to detect the difference.

Hi there!

Thanks for reporting this bug! Your bug seems to be a problem with the KDE program itself, and not with our KDE packages. But don't worry! This issue is being tracked by the KDE developers at: http://bugs.kde.org/show_bug.cgi?id=132761
Once fixed in KDE, it will be included in Kubuntu once the KDE version the fix is in in reaches Kubuntu.

Thanks!

There's an extra dependency that is not being installed by the package manager. You need to install kleopatra:

sudo apt-get install kleopatra