Bug 90038 - CMIS https never connect/timeout with self sign cert but http work (Debian amd64)
Summary: CMIS https never connect/timeout with self sign cert but http work (Debian am...
Status: RESOLVED WORKSFORME
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
4.4.1.2 release
Hardware: x86-64 (AMD64) Linux (All)
: medium major
Assignee: Not Assigned
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: CMIS
  Show dependency treegraph
 
Reported: 2015-03-16 14:15 UTC by Samuel Wolf
Modified: 2016-06-28 10:52 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuel Wolf 2015-03-16 14:15:48 UTC
Originally this problem depends on this bug:
https://bugs.documentfoundation.org/show_bug.cgi?id=72277

It is impossible to connect via LibreOffice 4.4 on Debian (.deb) to a https (http work!) CMIS server, after apply the login credentials nothing happens.

You can try this:
[fail] https://cmis.alfresco.com/cmisatom
[work] http://cmis.alfresco.com/cmisatom
username: admin
password: admin

strace debug:
[...]
[pid 10811] stat("/home/samuel/.mozilla/firefox/lw5s3dll.default/cert8.db", {st_mode=S_IFREG|0600, st_size=704512, ...}) = 0
[pid 10811] open("/home/samuel/.mozilla/firefox/lw5s3dll.default/cert8.db", O_RDWR) = 33
[pid 10811] fcntl(33, F_SETFD, FD_CLOEXEC) = 0
[pid 10811] read(33, "\0\6\25a\0\0\0\2\0\0\4\322\0\0@\0\0\0\0\16\0\0\1\0\0\0\1\0\0\0\0\10"..., 260) = 260
[pid 10811] lseek(33, 180224, SEEK_SET) = 180224
[pid 10811] read(33, "&\0\367?\364?7?\254:\3409\2135&5\226010\251/\210/\5/\236.T*,*"..., 16384) = 16384
[pid 10811] stat("/home/samuel/.mozilla/firefox/lw5s3dll.default/key3.db", {st_mode=S_IFREG|0600, st_size=32768, ...}) = 0
[pid 10811] open("/home/samuel/.mozilla/firefox/lw5s3dll.default/key3.db", O_RDWR) = 34
[pid 10811] fcntl(34, F_SETFD, FD_CLOEXEC) = 0
[pid 10811] read(34, "\0\6\25a\0\0\0\2\0\0\4\322\0\0 \0\0\0\0\r\0\0\1\0\0\0\1\0\0\0\0\10"..., 260) = 260
[pid 10811] lseek(34, 8192, SEEK_SET)   = 8192
[pid 10811] read(34, "\6\0\371\37\370\37\352\37\266\37\253\37\227\37\205\37\227\37\377\377\377\377\377\377\377\377\377\377\377\377\377\377"..., 8192) = 8192
[pid 10811] open("/home/samuel/.mozilla/firefox/lw5s3dll.default/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid 10811] brk(0x2b06000)              = 0x2b06000
[pid 10811] open("/opt/libreoffice4.4/program/../program/libnssckbi.so", O_RDONLY|O_CLOEXEC) = 35
[pid 10811] read(35, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20 \2\0\0\0\0\0"..., 832) = 832
[pid 10811] fstat(35, {st_mode=S_IFREG|0775, st_size=1101111, ...}) = 0
[...]
[pid 10811] recvmsg(13, 0x7fffd991df50, 0) = -1 EAGAIN (Resource temporarily unavailable)
[...]
Comment 1 Samuel Wolf 2015-03-16 14:55:37 UTC
Works in Windows as expected:
https://cmis.alfresco.com/cmisatom

Maybe only a problem with the TDF .deb build process?
Comment 2 Julien Nabet 2015-03-16 20:12:45 UTC
I must recognize that even if I'm on Debian (testing), I never use .deb, only LO package from Debian repo (4.3.3.2 for the moment) + build master sources.

Rene/Christian: Thought you might be interested in this one. (packaging/Debian env problem?)
Comment 3 Samuel Wolf 2015-08-31 10:22:49 UTC
Version: 5.0.1.2 same problem.
Is there any way to get this working with the TDF .debs?

LibreOffice do not use the CAs of Firefox, path is set.
Is there a way to install the CA direct in LibreOffice?
Comment 4 Christian Lohmaier 2015-08-31 13:29:40 UTC
distro-specific problem.
No prob on Mageia 5 with tdf-provided build of 5.0.0(.5) and also no problem in tdf provided 4.4.5(.2). Mageia uses rpm, but the packaged files are the same. So need more details on actual source of the problem, or even better a patch :-)

####### NEEDINFO ########
* other affected distros/components causing it (what version of the distro?)
* does it work with distro-provided version of LO?
Comment 5 Julien Nabet 2015-08-31 13:38:10 UTC
Szymon: noticing your work on CMIS, are you on Debian by any chance and/or have some leads about this one?
Comment 6 Samuel Wolf 2015-08-31 17:37:51 UTC
(In reply to Christian Lohmaier from comment #4)
> distro-specific problem.

See original thread:
https://bugs.documentfoundation.org/show_bug.cgi?id=72277#c85

It is only a problem with the .deb build of the TDF, .rpm works as expected.
Comment 7 Christian Lohmaier 2015-08-31 18:57:07 UTC
(In reply to Samuel Wolf from comment #6)
> 
> https://bugs.documentfoundation.org/show_bug.cgi?id=72277#c85
> 
> It is only a problem with the .deb build of the TDF, .rpm works as expected.

No, that comment just states that it works on a different Distro (CentOS) that happens to use rpm as package format.

So far it is only clear that an unstated version of Debian suffers the problem. But no indication that it is a problem with the deb-packaging.
Comment 8 Samuel Wolf 2015-08-31 19:52:17 UTC
Summary:
========

* self sign cert with _own_ CA
* CA in Firefox and system wide installed (curl works without an https error)

Works:
=========
LibreOffice installed from the Debian repository
LibreOffice on CentOS with .rpm from TDF

Don't work:
===========
LibreOffice on Debian 7/8 with .deb from TDF


For some reason the .deb build from TDF LibreOffice neither use the system CAs nor the CAs which installed in Firefox.

(In reply to Christian Lohmaier from comment #7)
> So far it is only clear that an unstated version of Debian suffers the
> problem. But no indication that it is a problem with the deb-packaging.

https://bugs.documentfoundation.org/show_bug.cgi?id=72277#c77

Quote:
"That's just "magic", it's just using the system curl that is built with openSSL support and get access to openssl system CA database.

Normally the official TDF deb packages are built with internal curl, handling SSL with NSS. Thus it needs libnsspem to be able to read the certs from mozilla profile... which is now working with the .rpm and windows builds."

I guess it is a problem of the TDF .debs
Comment 9 Samuel Wolf 2015-09-01 14:02:02 UTC
@ Cédric,
I add you to the CC List since you work on the bugfix.

http://bosdonnat.fr/libreoffice-reaches-cmis-https.html
Comment 10 Samuel Wolf 2015-09-07 13:46:02 UTC
(In reply to Samuel Wolf from comment #8)
> Summary:
> ========
> 
> * self sign cert with _own_ CA

Sorry this info was wrong "https://cmis.alfresco.com" does not work, _all_ CAs are affected.

In this case https:// is impossible with the TDF .deb builds.
Comment 11 Samuel Wolf 2016-02-01 10:57:15 UTC
Try it today with LibreOffice 5.1.0.2, same problem with https and the .deb packages from TDF.

Any chance to fix this issue?
Sponsoring?
Comment 12 Giuseppe Castagno (aka beppec56) 2016-03-11 14:59:32 UTC
Checked on Ubuntu with a CentOS build I created to test my fix for bug 98416.

Apparently solves this issue as well, for TDF build structure (e.g. build on CentOS 6.x for LO 5.1).

For LO installed from the distro repository it will depend on the way the package maintainer would configure ssl protocol for libcurl.
Comment 13 Samuel Wolf 2016-03-11 20:11:48 UTC
(In reply to Giuseppe Castagno (aka beppec56) from comment #12)
> Checked on Ubuntu with a CentOS build I created to test my fix for bug 98416.

You install/convert the .rpm and in Ubuntu?

> Apparently solves this issue as well, for TDF build structure (e.g. build on
> CentOS 6.x for LO 5.1).

You guess this fix the issue with the TDF .deb as well?
That would be really good news!

> For LO installed from the distro repository it will depend on the way the
> package maintainer would configure ssl protocol for libcurl.

LO from the Debian distro repository work all the time with https.
Comment 14 Giuseppe Castagno (aka beppec56) 2016-03-13 20:13:15 UTC
(In reply to Samuel Wolf from comment #13)

> You guess this fix the issue with the TDF .deb as well?
> That would be really good news!

Can you please download this:
<http://dev-builds.libreoffice.org/daily/master/Linux-rpm_deb-x86_64@70-TDF/gdrivetest2/LibreOfficeDev_5.2.0.0.alpha0_Linux_x86-64_deb.tar.gz>

?
It' a special version of master build specifally crested to check for  bug 98416.
For me it solved this as well.
A comfirmation will be appreciated.

Thanks.
Comment 15 Christian Lohmaier 2016-03-13 20:58:03 UTC
(rpms also provided at the gdrivetest2 url http://dev-builds.libreoffice.org/daily/master/Linux-rpm_deb-x86_64@70-TDF/gdrivetest2/ - the package format doesn't matter for this bug)

Note that there's still bug#87938 (two-factor auth for gdrive not working) - so if you want to test, you have to disable two-factor authentication temporarily.
Comment 16 Giuseppe Castagno (aka beppec56) 2016-05-13 07:45:02 UTC
Google Drive should now work again starting with this TDF version (not 2FA enabled):

Version: 5.1.3.2
Build ID: 644e4637d1d8544fd9f56425bd6cec110e49301b
CPU Threads: 8; OS Version: Linux 3.13; UI Render: default; 
Locale: en-US (en_US.UTF-8)

Explanation of the reason as reported on bug 98416, comment 33.
Comment 17 Samuel Wolf 2016-06-28 10:03:29 UTC
Work with my self sign cert on Debian (TDF .deb) as well, thank you!
Comment 18 Julien Nabet 2016-06-28 10:52:42 UTC
Thank you for your feedback Samuel, let's put this one to WFM then.