search

QuiteRSS / quiterss

Free news feeds reader
https://quiterss.org
Other
1.01k stars 123 forks source link

Bundled CA certificates outdated #1474

Open sandwm opened 3 years ago

sandwm commented 3 years ago

For Windows and OS/2 QuiteRSS bundles certificate authority (CA) certificates. All supported versions of Windows (and I guess the ArcaOS fork of OS/2 – huh, I didn't even know an actively maintained OS/2 derivative still existed) should include their own CA certificate store, so QuiteRSS might not even need to bring along it's own bundle.

If however it is required, it should be updated, since the bundle is more than 6 years old. In these years several CAs have been found maliciously issuing certificates to parties other than the true domain owners (e.g. issuing a certificate for google.com, but to an attacker and not Google LLC), thus breaking the security TLS should provide. Relying on these old CA certificates poses a security risk.

On the other hand, new CA certificates have been created (for entirely new CAs or as replacement for old, expired certificates) and trusted by operating system vendors and webbrowser vendors like Mozilla. Missing these new certificates might lead to issues like some of those reported here (e.g. #1332 and #1133 might be caused by this, though I didn't investigate further).

The original CA cert bundle was copied from the QupZilla website according to git history. QupZilla became Falkon (https://www.falkon.org/) in the meantime. I don't know whether they still provide their own CA bundle. An alternative might be Mozilla's CA bundle, which is also packaged by several Linux distributions in different file formats including PEM (like QuiteRSS' data/ca-bundle.crt). See e.g. Arch Linux' packages ca-certificates-mozilla, perl-mozilla-ca and python-certifi.

(Note to prevent confusions: I'm using Linux, so I'm not affected by this. Thought I should report it anyhow.)

montoner0 commented 2 years ago

I can confirm that outdated CA certificates are responsible for issues with at least Let's Encrypt certificates based on ISRG Root X1 (https://letsencrypt.org/docs/certificate-compatibility/). For those Windows users who seeks a workaround till this will be fixed:

  1. Download cacert.pem from here https://curl.se/docs/caextract.html and rename it to ca-bundle.crt (if you don't see file extensions then enable them in View tab)
  2. Close QuiteRSS
  3. Open folder %LocalAppData%\QuiteRss\QuiteRss\certificates (copy-paste to the address bar in Windows Explorer and press Enter)
  4. Remove/rename original ca-bundle.crt and copy there file you've downloaded in p.1

That should fix the issue.