Introduction
This page provides test cases for distrusted certificates, in particular when using a Fedora (or RHEL) Linux system.
(If you're new to this topic, you might be interesting in the following manual page, which explains how the CA certificates trust store works on Fedora/RHEL: man update-ca-trust)
This page will tell you to copy files with root permissions into your /etc/pki/ca-trust/source/ directory. Usually, you shouldn't follow instructions from random Internet pages that tell you you do that. It's dangerous, because it can be used by an attacker to trick you into visiting a malicious website, although it might appear to be a legitimate website.
Only follow these instructions if you understand what you're doing, and clean up after you have tested. (By removing the files that you're installing as part of these instructions.) Or even better, use a separate test system for executing these tests, not your usual work computer.
Setup
Download this file named test-ca-ueberhaecker-constraint.txt, and using root (or sudo) permissions, copy it to:
/etc/pki/ca-trust/source/anchors/test-ca-ueberhaecker-constraint.pem
Download this file named test-ca-host2.txt, and using root (or sudo) permissions, copy it to:
/etc/pki/ca-trust/source/blacklist/test-ca-host2.pem
With root permissions, execute this command:
update-ca-trust
Testing
We will access the following hostnames using the https protocol, using various software, and below are the IDEAL expectations:
This should work, because the cert is a valid cert issued from our test CA.
This should fail, because we copied this server cert to the blacklist directory.
This is simply to check that the crypto library correctly processes the domain name constrains embedded in our test CA. It should fail, because the server name isn't allowed.
This should fail, because it is a certificate that was issued after the cutoff date defined by Mozilla as the end of trust for the issueing StartCom CA.
Using Firefox, click the following links:
https://host1.überhäcker.de - expected: page load successful
https://host2.überhäcker.de - expected: page load failure, Peer’s certificate has been marked as not trusted by the user. Error code: SEC_ERROR_UNTRUSTED_CERT
https://uberhacker-constraint-ca.kuix.de/ - expected: page load failure. (Click the "advanced" button:) The certificate is not valid for the name uberhacker-constraint-ca.kuix.de
https://notbefore-after-21st-test.samspin.net/ - expected: page load failure, Peer’s Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE
Using NSS tstclnt:
Create a text file that we'll use in the later commands:
echo -e "\n\n" > /tmp/req.txt
Now execute the following commands exactly as given (copy/paste whole line to terminal)
/usr/lib64/nss/unsupported-tools/tstclnt -V tls1.0: -D -b -p 443 -h host1.xn--berhcker-3za9u.de < /tmp/req.txt
expected: several lines of output, including a server response "HTTP/1.1 400 Bad Request", which shows that the SSL/TLS connection was successful, and we arrived at the HTTP protocol level
/usr/lib64/nss/unsupported-tools/tstclnt -V tls1.0: -D -b -p 443 -h host2.xn--berhcker-3za9u.de < /tmp/req.txt
expected: just one line of output with an error code
/usr/lib64/nss/unsupported-tools/tstclnt -V tls1.0: -D -b -p 443 -h uberhacker-constraint-ca.kuix.de < /tmp/req.txt
expected: just one line of output with an error code
/usr/lib64/nss/unsupported-tools/tstclnt -V tls1.0: -D -b -p 443 -h notbefore-after-21st-test.samspin.net < /tmp/req.txt
expected: just one line of output with an error code
Using curl. The result might vary, depending on which crypto library implementation is configured to use.
curl --head https://host1.überhäcker.de
Should work (HTTP 200 OK)
curl --head https://host2.überhäcker.de
Should fail. If you get HTTP 200 OK, distrust doesn't work.
curl --head https://uberhacker-constraint-ca.kuix.de
Should fail
curl --head https://notbefore-after-21st-test.samspin.net
Should fail
Using openssl s_client:
openssl s_client -servername host1.xn--berhcker-3za9u.de -connect host1.xn--berhcker-3za9u.de:443 < /tmp/req.txt
You should see "Verify return code: 0 (ok)" close to the bottom (connection ok)
openssl s_client -servername host2.xn--berhcker-3za9u.de -connect host2.xn--berhcker-3za9u.de:443 < /tmp/req.txt
Should fail. If it doesn't fail, openssl doesn't use distrust.
openssl s_client -servername uberhacker-constraint-ca.kuix.de -connect uberhacker-constraint-ca.kuix.de:443 < /tmp/req.txt
Should fail, Verify return code should be different from 0 (ok).
openssl s_client -servername notbefore-after-21st-test.samspin.net -connect notbefore-after-21st-test.samspin.net:443 < /tmp/req.txt
This is expected to not fail, because openssl doesn't implement the date based distrust for StartCom
Using gnutls-cli:
gnutls-cli -p 443 host1.xn--berhcker-3za9u.de < /tmp/req.txt
expected: several lines of output, including a server response "HTTP/1.1 400 Bad Request", which shows that the SSL/TLS connection was successful, and we arrived at the HTTP protocol level
gnutls-cli -p 443 host2.xn--berhcker-3za9u.de < /tmp/req.txt
expected: output should include: Status: The certificate is NOT trusted. The certificate chain is revoked.
gnutls-cli -p 443 uberhacker-constraint-ca.kuix.de < /tmp/req.txt
expected: output should include: Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
gnutls-cli -p 443 notbefore-after-21st-test.samspin.net < /tmp/req.txt
This is expected to not fail, because gnutls doesn't implement the date based distrust for StartCom