Bug 51264 - Validation of signed documents against CRL takes too long when in Linux behind a proxy
Summary: Validation of signed documents against CRL takes too long when in Linux behin...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: framework (show other bugs)
Version:
(earliest affected)
3.6.1.2 release
Hardware: Other Linux (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Digital-Signatures
  Show dependency treegraph
 
Reported: 2012-06-20 09:57 UTC by nuno.ponte
Modified: 2023-03-23 15:05 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments
Sample signed document (11.71 KB, application/vnd.oasis.opendocument.text)
2012-06-20 09:57 UTC, nuno.ponte
Details
Second sample document that causes a HTTP request to verify the signature (11.58 KB, application/vnd.oasis.opendocument.text)
2015-10-06 11:45 UTC, david.vogt
Details

Note You need to log in before you can comment on or make changes to this bug.
Description nuno.ponte 2012-06-20 09:57:23 UTC
Created attachment 63269 [details]
Sample signed document

When opening a signed document, LibreOffice tries to download the CRL from the URL specified in the CRL Distribution Point of the signing certificate.

However, in Linux, if a proxy is used, LibreOffice doesn't seem to use the proxy settings (even if "manual") and takes too long, until it eventually get a timeout.

The console presents the following error message:

raptor error - XML FTP error: Unknown IO error

A sample signed document is provided.
Comment 1 ruismoura 2012-08-06 18:04:50 UTC
Hy,

I am experiencing the exactly same problem.

Does anyone have any new?


Regards,
Comment 2 Miguel CV 2013-01-31 16:58:34 UTC
I can confirm this behaviour. It happens here too after signing a document with a smartcard. Libreoffice 3.5.4.2 from ubuntu 12.04 repositories.
Comment 3 Jean-Baptiste Faure 2013-11-30 12:01:06 UTC
Hi all commenters,

Do you still experience this behavior with current stable and active version (4.0.6, 4.1.x) or 4.2.0.0.beta1 ?

Best regards. JBF
Comment 4 Miguel CV 2013-12-03 09:45:32 UTC
I've made another test with 4.1.3.2. Now signing is fast as should be...its slow only when you pick certificate path tab (or chain, i'm in spanish)
Detail: Open a signed document, go to digital signs (or similar, i'm in spanish) , and when you push the "certificate path" tab it waits more or less a minute before showing you the certificate path.
If you need more info or tests let me know.
Comment 5 QA Administrators 2014-07-08 17:29:35 UTC Comment hidden (obsolete)
Comment 6 Jean-Baptiste Faure 2014-07-13 16:37:52 UTC
No delay when opening the bugdoc in LO 4.3.1.0.0+ under Ubuntu 14.04 x86-64.
No delay to access the certificate path.

Closing as WorksForMe. Feel free to reopen if needed.

Best regards. JBF
Comment 7 david.vogt 2015-10-06 11:44:28 UTC
I can still reproduce this (4.4.5 as well as 5.0.2). What I've done is this:

* Add an IPTables rule to block direct access to the Cert hosting server (The following was done in my case: sudo iptables -D OUTPUT -p tcp -d 162.23.43.114 -j DROP) 
* Configure a proxy to "work around" the block
* Open LO with a signed document
* Clean up the IPTables by (sudo iptables -D OUTPUT -p tcp -d 162.23.43.114 -j DROP)

The effect is that LO completely hangs when opening such a file.

It does not happen with all signed documents however. For the one uploaded by Nuno Ponte, everything works (no HTTP request is done), but for other documents it does indeed do a HTTP request.

I'll upload such a test sample in a minute.
Comment 8 david.vogt 2015-10-06 11:45:14 UTC
Created attachment 119351 [details]
Second sample document that causes a HTTP request to verify the signature
Comment 9 Buovjaga 2015-10-09 18:51:05 UTC
Bug does not meet the criteria for Status 'REOPENED'
https://wiki.documentfoundation.org/QA/Bugzilla/Fields/Status/REOPENED#Criteria
Status -> UNCONFIRMED
Comment 10 tommy27 2016-12-11 19:02:23 UTC
status NEW according to comment 7 that was reproduced with LibO 5.0.x
has anyone tried 5.2.x?
Comment 11 Miguel CV 2016-12-19 11:51:11 UTC
I tested with the version in ubuntu 16.04 repositories ( Versión: 5.1.4.2
Id. de compilación: 1:5.1.4-0ubuntu1 ) :

Hangs exactly for 60 seconds every time processing certificates. I did a strace opening a signed file:

socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 40
fcntl(40, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(40, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(40, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr(" MYPROXYIP ")}, 16) = -1 EINPROGRESS (Operation now in progress)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000) = 0 (Timeout)
poll([{fd=40, events=POLLPRI|POLLOUT}], 1, 5000
 
(this is until 5000 * 12) 

One thing to note is that my proxy port is set to 8080 , but as you can see it tries to open a connection to port 80 ( sin_port=htons(80) ) .
Comment 12 QA Administrators 2017-12-20 03:34:57 UTC Comment hidden (obsolete)
Comment 13 QA Administrators 2020-03-05 03:14:26 UTC Comment hidden (obsolete)
Comment 14 QA Administrators 2022-03-06 03:32:12 UTC Comment hidden (obsolete)
Comment 15 leandrolorge 2022-07-25 23:50:26 UTC
For me, this bug is still present in version 7.3.5.2, which I downloaded a couple of days ago from https://www.libreoffice.org/download
I configured the proxy settings, but LibreOffice don't honour them, and attempts a direct connection to internet in order to verify the certificate of the signed document.

Version: 7.3.5.2 / LibreOffice Community
Build ID: 184fe81b8c8c30d8b5082578aee2fed2ea847c01
CPU threads: 2; OS: Linux 5.4; UI render: default; VCL: qt5 (qfont+xcb)
Locale: es-AR (es_AR.UTF-8); UI: en-US
Calc: threaded


The same happens with the version included in Lubuntu 20.04:

Versión: 6.4.7.2
Id. de compilación: 1:6.4.7-0ubuntu0.20.04.1
Subprocs. CPU: 2; SO: Linux 5.4; Repres. IU: predet.; VCL: qt5; 
Configuración regional: es-AR (es_AR.UTF-8); Idioma de IU: es-ES
Calc: threaded


In both cases, I checked the proxy settings with:

$grep -i proxy ~/.config/libreoffice/4/user/registrymodifications.xcu 
<item oor:path="/org.openoffice.Inet/Settings"><prop oor:name="ooInetHTTPProxyName" oor:op="fuse"><value>192.168.x.x</value></prop></item>
<item oor:path="/org.openoffice.Inet/Settings"><prop oor:name="ooInetHTTPProxyPort" oor:op="fuse"><value>3128</value></prop></item>
<item oor:path="/org.openoffice.Inet/Settings"><prop oor:name="ooInetHTTPSProxyName" oor:op="fuse"><value>192.168.x.x</value></prop></item>
<item oor:path="/org.openoffice.Inet/Settings"><prop oor:name="ooInetHTTPSProxyPort" oor:op="fuse"><value>3128</value></prop></item>
<item oor:path="/org.openoffice.Inet/Settings"><prop oor:name="ooInetProxyType" oor:op="fuse"><value>2</value></prop></item>
Comment 16 abma 2023-03-23 15:05:22 UTC
i've hit the same problem when opening a signed PDF in Draw 7.0.4.2 on Debian 11 behind a proxy.

with proxychains4 i can workarround the problem:

$ proxychains soffice

[...]
[proxychains] Dynamic chain  ...  <ip of proxy:3128  ...  193.174.13.86:80  ...  OK
[...]

193.174.13.86 is ocsp.pca.dfn.de.


LO seems to ignore the configured proxy when validating a signed pdf document.