Bug 51264 - Validation of signed documents against CRL takes too long when in Linux behind a proxy
Summary: Validation of signed documents against CRL takes too long when in Linux behin...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: framework (show other bugs)
Version:
(earliest affected)
3.6.1.2 release
Hardware: Other Linux (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Digital-Signatures
  Show dependency treegraph
 
Reported: 2012-06-20 09:57 UTC by nuno.ponte
Modified: 2020-03-05 03:14 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments
Sample signed document (11.71 KB, application/vnd.oasis.opendocument.text)
2012-06-20 09:57 UTC, nuno.ponte
Details
Second sample document that causes a HTTP request to verify the signature (11.58 KB, application/vnd.oasis.opendocument.text)
2015-10-06 11:45 UTC, david.vogt
Details

Note You need to log in before you can comment on or make changes to this bug.
Description nuno.ponte 2012-06-20 09:57:23 UTC
Created attachment 63269 [details]
Sample signed document

When opening a signed document, LibreOffice tries to download the CRL from the URL specified in the CRL Distribution Point of the signing certificate.

However, in Linux, if a proxy is used, LibreOffice doesn't seem to use the proxy settings (even if "manual") and takes too long, until it eventually get a timeout.

The console presents the following error message:

raptor error - XML FTP error: Unknown IO error

A sample signed document is provided.
Comment 1 ruismoura 2012-08-06 18:04:50 UTC
Hy,

I am experiencing the exactly same problem.

Does anyone have any new?


Regards,
Comment 2 Miguel CV 2013-01-31 16:58:34 UTC
I can confirm this behaviour. It happens here too after signing a document with a smartcard. Libreoffice 3.5.4.2 from ubuntu 12.04 repositories.
Comment 3 Jean-Baptiste Faure 2013-11-30 12:01:06 UTC
Hi all commenters,

Do you still experience this behavior with current stable and active version (4.0.6, 4.1.x) or 4.2.0.0.beta1 ?

Best regards. JBF
Comment 4 Miguel CV 2013-12-03 09:45:32 UTC
I've made another test with 4.1.3.2. Now signing is fast as should be...its slow only when you pick certificate path tab (or chain, i'm in spanish)
Detail: Open a signed document, go to digital signs (or similar, i'm in spanish) , and when you push the "certificate path" tab it waits more or less a minute before showing you the certificate path.
If you need more info or tests let me know.
Comment 5 QA Administrators 2014-07-08 17:29:35 UTC Comment hidden (obsolete)
Comment 6 Jean-Baptiste Faure 2014-07-13 16:37:52 UTC
No delay when opening the bugdoc in LO 4.3.1.0.0+ under Ubuntu 14.04 x86-64.
No delay to access the certificate path.

Closing as WorksForMe. Feel free to reopen if needed.

Best regards. JBF
Comment 7 david.vogt 2015-10-06 11:44:28 UTC
I can still reproduce this (4.4.5 as well as 5.0.2). What I've done is this:

* Add an IPTables rule to block direct access to the Cert hosting server (The following was done in my case: sudo iptables -D OUTPUT -p tcp -d 162.23.43.114 -j DROP) 
* Configure a proxy to "work around" the block
* Open LO with a signed document
* Clean up the IPTables by (sudo iptables -D OUTPUT -p tcp -d 162.23.43.114 -j DROP)

The effect is that LO completely hangs when opening such a file.

It does not happen with all signed documents however. For the one uploaded by Nuno Ponte, everything works (no HTTP request is done), but for other documents it does indeed do a HTTP request.

I'll upload such a test sample in a minute.
Comment 8 david.vogt 2015-10-06 11:45:14 UTC
Created attachment 119351 [details]
Second sample document that causes a HTTP request to verify the signature
Comment 9 Buovjaga 2015-10-09 18:51:05 UTC
Bug does not meet the criteria for Status 'REOPENED'
https://wiki.documentfoundation.org/QA/Bugzilla/Fields/Status/REOPENED#Criteria
Status -> UNCONFIRMED
Comment 10 tommy27 2016-12-11 19:02:23 UTC
status NEW according to comment 7 that was reproduced with LibO 5.0.x
has anyone tried 5.2.x?
Comment 11 Miguel CV 2016-12-19 11:51:11 UTC
I tested with the version in ubuntu 16.04 repositories ( Versión: 5.1.4.2
Id. de compilación: 1:5.1.4-0ubuntu1 ) :

Hangs exactly for 60 seconds every time processing certificates. I did a strace opening a signed file:

socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 40
fcntl(40, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(40, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(40, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr(" MYPROXYIP ")}, 16) = -1 EINPROGRESS (Operation now in progress)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000
 
(this is until 5000 * 12) 

One thing to note is that my proxy port is set to 8080 , but as you can see it tries to open a connection to port 80 ( sin_port=htons(80) ) .
Comment 12 QA Administrators 2017-12-20 03:34:57 UTC Comment hidden (obsolete)
Comment 13 QA Administrators 2020-03-05 03:14:26 UTC
Dear nuno.ponte,

To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year.

There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present.

If you have time, please do the following:

Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/

If the bug is present, please leave a comment that includes the information from Help - About LibreOffice.
 
If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice.

Please DO NOT

Update the version field
Reply via email (please reply directly on the bug tracker)
Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not 
appropriate in this case)


If you want to do more to help you can test to see if your issue is a REGRESSION. To do so:
1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/

2. Test your bug
3. Leave a comment with your results.
4a. If the bug was present with 3.3 - set version to 'inherited from OOo';
4b. If the bug was not present in 3.3 - add 'regression' to keyword


Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa

Thank you for helping us make LibreOffice even better for everyone!

Warm Regards,
QA Team

MassPing-UntouchedBug