Debian Bug report logs - #699103
please use Debian ca-certificates as trust anchors by default

version graph

Package: telepathy-rakia; Maintainer for telepathy-rakia is Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>; Source for telepathy-rakia is src:telepathy-rakia.

Reported by: Daniel Pocock <daniel@pocock.com.au>

Date: Sun, 27 Jan 2013 16:54:01 UTC

Severity: important

Tags: upstream

Found in version telepathy-rakia/0.7.4-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#699103; Package telepathy-rakia. (Sun, 27 Jan 2013 16:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Pocock <daniel@pocock.com.au>:
New Bug report received and forwarded. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Sun, 27 Jan 2013 16:54:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Pocock <daniel@pocock.com.au>
To: submit@bugs.debian.org
Subject: Empathy fails to connect to SIP proxy over TLS
Date: Sun, 27 Jan 2013 17:51:53 +0100
Package: telepathy-rakia
Version: 0.7.4-1
Severity: Serious


I've marked this serious because (a) there is no detailed error from
Empathy and (b) the SIP proxy is using a cert signed by a root in the
Debian distribution, so it should be trusted and work seamlessly.  Two
other SIP softphones (Lumicall and Jitsi) are working fine in the same
network with this TLS server.

I configured Empathy to use TLS to connect to a SIP account on a proxy
running repro

The repro proxy is on the same subnet, running v1.8.5 from wheezy.  It
has a server cert signed by the CACert.org class 3 root, expiring 2014,
4096 bit

Empathy fails to connect

Running repro in debug mode with console output, I notice this error:

 ssl/TlsConnection.cxx:161 | TLS connected
 ssl/TlsConnection.cxx:175 | TLS handshake want read
 Connection.cxx:372 | Exception on socket 31 code: 32; closing connection

In Empathy, I click the setting to ignore TLS errors, and then the
connection succeeds

Note: the repro proxy has both the server cert and the CAcert.org class
3 intermediate cert in the pem file, so the client should be able to
work the trust chain up to /etc/ssl/certs/cacert.org.pem  (CAcert.org
class 1 root)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#699103; Package telepathy-rakia. (Sun, 27 Jan 2013 17:03:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Sun, 27 Jan 2013 17:03:12 GMT) Full text and rfc822 format available.

Message #10 received at 699103@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Daniel Pocock <daniel@pocock.com.au>, 699103@bugs.debian.org
Subject: Re: Bug#699103: Empathy fails to connect to SIP proxy over TLS
Date: Sun, 27 Jan 2013 17:01:51 +0000
[Message part 1 (text/plain, inline)]
Control: severity -1 important

On Sun, Jan 27, 2013 at 17:51:53 +0100, Daniel Pocock wrote:

> Package: telepathy-rakia
> Version: 0.7.4-1
> Severity: Serious
> 
> 
> I've marked this serious because (a) there is no detailed error from
> Empathy and (b) the SIP proxy is using a cert signed by a root in the
> Debian distribution, so it should be trusted and work seamlessly.  Two
> other SIP softphones (Lumicall and Jitsi) are working fine in the same
> network with this TLS server.
> 
Yeah, no.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Severity set to 'important' from 'serious' Request was from Julien Cristau <jcristau@debian.org> to 699103-submit@bugs.debian.org. (Sun, 27 Jan 2013 17:03:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#699103; Package telepathy-rakia. (Sun, 27 Jan 2013 18:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Pocock <daniel@pocock.com.au>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Sun, 27 Jan 2013 18:18:03 GMT) Full text and rfc822 format available.

Message #17 received at 699103@bugs.debian.org (full text, mbox):

From: Daniel Pocock <daniel@pocock.com.au>
To: Julien Cristau <jcristau@debian.org>
Cc: 699103@bugs.debian.org
Subject: Re: Bug#699103: Empathy fails to connect to SIP proxy over TLS
Date: Sun, 27 Jan 2013 19:15:05 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 27/01/13 18:01, Julien Cristau wrote:
> Control: severity -1 important
> 
> On Sun, Jan 27, 2013 at 17:51:53 +0100, Daniel Pocock wrote:
> 
>> Package: telepathy-rakia Version: 0.7.4-1 Severity: Serious
>> 
>> 
>> I've marked this serious because (a) there is no detailed error
>> from Empathy and (b) the SIP proxy is using a cert signed by a
>> root in the Debian distribution, so it should be trusted and work
>> seamlessly.  Two other SIP softphones (Lumicall and Jitsi) are
>> working fine in the same network with this TLS server.
>> 
> Yeah, no.
> 

I should have also mentioned that Empathy is the default VoIP client
being deployed on a Debian desktop, that fact also contributes to my
feeling that this type of thing is over the threshold for being fixed
in wheezy



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJRBW6oAAoJEOm1uwJp1aqDVMgQAMkmPRCVXZeKh/I+20kFMASg
IyuTe+sy1yjErm+AQOKJcIINQ7Yl0qHchSC+AAGoNrRmc7+4cQ7H8diZqwCZyOHs
p2W2iBPFqlczemD+gNXxM/QhOVs51qCO3f+fwbTPonEpy23V2I0A/IoOxauZInO2
W3DQVVh6Kts1dA3hs9QpAfbDgX749f1JT2JWtPvcQU0NwREzyu/C6sKX5ZK17sSl
ppGOfSSZvzNmoQDrv6u+zovmpaSlS2MU4McKpyIDALN2fIg8D1L3mrQI0IuANRkQ
NL3QjQj2ile62mINRPs8IWTHbwj3ypIBtHt1uC/M5minIwoK14heJKWKSsf12QJJ
tN0a+ehwGrrN+G2Yeyz2YOHpxzUZSOOvOQmOAIDXHXaK90VNgyh4u4ZOWjKtbZvw
M+YGNFtn1HL01rLF6F+0ZbZKRCV19bUOfUfzKZDl/uMBEDIGT0pyoOaD9jvvUKcv
roVw/qcEEirfYLUpgjf+3g4gzwT/G3sSGLOCae1tQHgBTDdOv1UyD0OUhWYBLaDf
Jd0kx1wEUWbDgnLcMqXbFSsnYfguZpqPhno75M/m5SnruUqBYN+3+OKju6hNIkoj
dDatFAhyN/TFUhLlv8ts3b3z9Y4+FH4KhmfUvDM0YxV/9VoBFnGGHQYldjK1H6+7
wEJMdN+F3Z1iQ6jGI5k1
=1hkJ
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#699103; Package telepathy-rakia. (Fri, 12 Apr 2013 15:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Derek LaHousse <dlahouss@mtu.edu>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Fri, 12 Apr 2013 15:15:04 GMT) Full text and rfc822 format available.

Message #22 received at 699103@bugs.debian.org (full text, mbox):

From: Derek LaHousse <dlahouss@mtu.edu>
To: 699103@bugs.debian.org
Subject: Empathy fails to connect to SIP proxy over TLS
Date: Fri, 12 Apr 2013 11:01:47 -0400
Workaround:  It appears that telepathy-rakia is looking for its list of
root CAs at ~/.sip/auth or the file ~/.sip/auth/cafile.pem.  I have
created ~/.sip and symlinked ~/.sip/auth to /etc/ssl/certs.  In a test
set of "once", it worked without selecting "ignore TLS errors".

It looks like that path comes from sofia-sip.
http://anonscm.debian.org/gitweb/?p=users/ron/sofia-sip.git;a=blob;f=libsofia-sip-ua/tport/tport_type_tls.c

Would it be wrong to change sofia-sip, in debian at least, to use the
system-ca-certificates?  I do not know where to post this information on
a wiki, for visibility for others with this issue.

Derek




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#699103; Package telepathy-rakia. (Mon, 27 Jan 2014 13:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Mon, 27 Jan 2014 13:39:04 GMT) Full text and rfc822 format available.

Message #27 received at 699103@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Derek LaHousse <dlahouss@mtu.edu>, 699103@bugs.debian.org
Cc: Daniel Pocock <daniel@pocock.com.au>, Ron Lee <ron@debian.org>
Subject: Re: Bug#699103: Empathy fails to connect to SIP proxy over TLS
Date: Mon, 27 Jan 2014 13:37:12 +0000
clone 699103 -1
severity -1 wishlist
retitle -1 interactive TLS certificate validation
tags -1 + upstream
retitle 699103 please use Debian ca-certificates as trust anchors by default
reassign 699103 libsofia-sip-ua0 1.12.11+20110422.1-2
affects 699103 telepathy-rakia
thanks

On Fri, 12 Apr 2013 at 11:01:47 -0400, Derek LaHousse wrote:
> Workaround:  It appears that telepathy-rakia is looking for its list of
> root CAs at ~/.sip/auth or the file ~/.sip/auth/cafile.pem.  I have
> created ~/.sip and symlinked ~/.sip/auth to /etc/ssl/certs.  In a test
> set of "once", it worked without selecting "ignore TLS errors".
> 
> It looks like that path comes from sofia-sip.
> http://anonscm.debian.org/gitweb/?p=users/ron/sofia-sip.git;a=blob;f=libsofia-sip-ua/tport/tport_type_tls.c
> 
> Would it be wrong to change sofia-sip, in debian at least, to use the
> system-ca-certificates?

I think that sounds like a reasonable course of action, yes.
Reassigning to sofia-sip.

If the maintainer of sofia-sip has some reason not to do that (please
reassign back if so), it might also be possible for telepathy-rakia to
set up a transient directory equivalent to ~/.sip that would do the same
thing, and push in the CAfile/CApath that way.

The ideal solution would be if telepathy-rakia could additionally use
the Telepathy ServerTLSAuthentication interface to tell UIs "this
certificate looks wrong, please deal with it" - that's what
telepathy-gabble does. This delegates handling to either Empathy or
kde-telepathy-auth-handler, which can use both system-wide configuration and
user- and desktop-specific "cert pinning" (in gnome-keyring and KWallet),
and/or prompt the user. However, I don't know whether sofia-sip has
UI for that.

I don't know SIP or sofia-sip as well as I'd like, and Telepathy's SIP experts
(the primary authors of telepathy-rakia) are no longer active in the project,
so we'd appreciate any upstream help that the VoIP team can provide.
I think this is a job for "upstream first" rather than Debian-specific
patches, though.

    S



Bug 699103 cloned as bug 736840 Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 27 Jan 2014 13:39:07 GMT) Full text and rfc822 format available.

Changed Bug title to 'please use Debian ca-certificates as trust anchors by default' from 'Empathy fails to connect to SIP proxy over TLS' Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 27 Jan 2014 13:39:10 GMT) Full text and rfc822 format available.

Bug reassigned from package 'telepathy-rakia' to 'libsofia-sip-ua0'. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 27 Jan 2014 13:39:10 GMT) Full text and rfc822 format available.

No longer marked as found in versions telepathy-rakia/0.7.4-1. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 27 Jan 2014 13:39:11 GMT) Full text and rfc822 format available.

Marked as found in versions sofia-sip/1.12.11+20110422.1-2. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 27 Jan 2014 13:39:12 GMT) Full text and rfc822 format available.

Added indication that 699103 affects telepathy-rakia Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 27 Jan 2014 13:39:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#699103; Package libsofia-sip-ua0. (Tue, 28 Jan 2014 20:18:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ron <ron@debian.org>:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>. (Tue, 28 Jan 2014 20:18:24 GMT) Full text and rfc822 format available.

Message #44 received at 699103@bugs.debian.org (full text, mbox):

From: Ron <ron@debian.org>
To: Simon McVittie <smcv@debian.org>
Cc: Derek LaHousse <dlahouss@mtu.edu>, 699103@bugs.debian.org, Daniel Pocock <daniel@pocock.com.au>
Subject: Re: Bug#699103: Empathy fails to connect to SIP proxy over TLS
Date: Wed, 29 Jan 2014 06:36:05 +1030
Hi,

On Mon, Jan 27, 2014 at 01:37:12PM +0000, Simon McVittie wrote:
> On Fri, 12 Apr 2013 at 11:01:47 -0400, Derek LaHousse wrote:
> > Workaround:  It appears that telepathy-rakia is looking for its list of
> > root CAs at ~/.sip/auth or the file ~/.sip/auth/cafile.pem.  I have
> > created ~/.sip and symlinked ~/.sip/auth to /etc/ssl/certs.  In a test
> > set of "once", it worked without selecting "ignore TLS errors".
> > 
> > It looks like that path comes from sofia-sip.
> > http://anonscm.debian.org/gitweb/?p=users/ron/sofia-sip.git;a=blob;f=libsofia-sip-ua/tport/tport_type_tls.c
> > 
> > Would it be wrong to change sofia-sip, in debian at least, to use the
> > system-ca-certificates?
> 
> I think that sounds like a reasonable course of action, yes.
> Reassigning to sofia-sip.
> 
> If the maintainer of sofia-sip has some reason not to do that (please
> reassign back if so), it might also be possible for telepathy-rakia to
> set up a transient directory equivalent to ~/.sip that would do the same
> thing, and push in the CAfile/CApath that way.

Yes, I think I'm a bit leery about unilaterally (and otherwise silently)
changing the trust path of all applications using this lib.

Though to be honest, I'm also a bit disturbed that this fallback to a
path under $HOME exists at all really.  If anything, I'd be inclined to
completely remove that, though that decision would also need more thought
and consultation with other users than I've given it so far.

I really think this should be something that individual applications set
explicitly for themselves - though having them use the system cert dir
by default may or may not be a reasonable choice for particular apps.

> The ideal solution would be if telepathy-rakia could additionally use
> the Telepathy ServerTLSAuthentication interface to tell UIs "this
> certificate looks wrong, please deal with it" - that's what
> telepathy-gabble does. This delegates handling to either Empathy or
> kde-telepathy-auth-handler, which can use both system-wide configuration and
> user- and desktop-specific "cert pinning" (in gnome-keyring and KWallet),
> and/or prompt the user. However, I don't know whether sofia-sip has
> UI for that.

I'm not all that familiar with telepathy-rakia, but most apps should
probably be setting this explicitly with NUTAG_CERTIFICATE_DIR or
similar (depending on which interface set they are using).

If they do that, then the fallback to ~/.sip/auth should never be
used at all.  How they do that, and how they let users change it
if they wish to, is again probably best as a per-app thing (unless
the app is part of some suite that shares that sort of config).

> I don't know SIP or sofia-sip as well as I'd like, and Telepathy's SIP experts
> (the primary authors of telepathy-rakia) are no longer active in the project,
> so we'd appreciate any upstream help that the VoIP team can provide.
> I think this is a job for "upstream first" rather than Debian-specific
> patches, though.

Does setting the cert dir with that tag seem like it would be a problem
for Telepathy?  I'm certainly willing to consider other ideas and input,
but this is my first impression based on what I know so far.

  Cheers,
  Ron





Information forwarded to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#699103; Package libsofia-sip-ua0. (Wed, 29 Jan 2014 11:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>. (Wed, 29 Jan 2014 11:03:04 GMT) Full text and rfc822 format available.

Message #49 received at 699103@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Ron <ron@debian.org>
Cc: Derek LaHousse <dlahouss@mtu.edu>, 699103@bugs.debian.org, Daniel Pocock <daniel@pocock.com.au>
Subject: Re: Bug#699103: Empathy fails to connect to SIP proxy over TLS
Date: Wed, 29 Jan 2014 10:59:21 +0000
reassign 699103 telepathy-rakia 0.7.4-1
tags 699103 + upstream
thanks

On 28/01/14 20:06, Ron wrote:
> Yes, I think I'm a bit leery about unilaterally (and otherwise silently)
> changing the trust path of all applications using this lib.

Fair enough, taking this bug back. It's going to have to be an upstream
feature request, in that case.

> I'm not all that familiar with telepathy-rakia, but most apps should
> probably be setting this explicitly with NUTAG_CERTIFICATE_DIR or
> similar (depending on which interface set they are using).

/**@def NUTAG_CERTIFICATE_DIR(x)
 *
 * X.500 certificate directory
...
 * @par Values
 *    NULL terminated pathname of directory containing agent.pem and
   cafile.pem files.

So rakia will have to create a directory $certdir (either global or
per-account), symlink /etc/ssl/certs/ca-certificates.crt ->
$certdir/cafile.pem, and pass NUTAG_CERTIFICATE_DIR($certdir) to
nua_create(). Is that correct?

This seems more complicated than it needs to be, but entirely feasible.

smcv wrote:
>> The ideal solution would be if telepathy-rakia could additionally use
>> the Telepathy ServerTLSAuthentication interface to tell UIs "this
>> certificate looks wrong, please deal with it" - that's what
>> telepathy-gabble does.

Does sofia-sip have any functionality for this? It would probably be an
API intended for browser-style interactive prompting; in Telepathy we
proxy that over D-Bus, so the application checking the cert is not
necessarily actually interacting with the user, but we have the same
requirements as user-interaction in terms of "must be asynchronous". I
suspect it doesn't have this API, though?

    S




Bug reassigned from package 'libsofia-sip-ua0' to 'telepathy-rakia'. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Wed, 29 Jan 2014 11:03:07 GMT) Full text and rfc822 format available.

No longer marked as found in versions sofia-sip/1.12.11+20110422.1-2. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Wed, 29 Jan 2014 11:03:08 GMT) Full text and rfc822 format available.

Marked as found in versions telepathy-rakia/0.7.4-1. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Wed, 29 Jan 2014 11:03:09 GMT) Full text and rfc822 format available.

Added tag(s) upstream. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Wed, 29 Jan 2014 11:03:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#699103; Package telepathy-rakia. (Wed, 29 Jan 2014 17:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ron <ron@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Wed, 29 Jan 2014 17:27:04 GMT) Full text and rfc822 format available.

Message #62 received at 699103@bugs.debian.org (full text, mbox):

From: Ron <ron@debian.org>
To: Simon McVittie <smcv@debian.org>, 699103@bugs.debian.org
Cc: Derek LaHousse <dlahouss@mtu.edu>, Daniel Pocock <daniel@pocock.com.au>
Subject: Re: Bug#699103: Empathy fails to connect to SIP proxy over TLS
Date: Thu, 30 Jan 2014 03:52:38 +1030
On Wed, Jan 29, 2014 at 10:59:21AM +0000, Simon McVittie wrote:
> reassign 699103 telepathy-rakia 0.7.4-1
> tags 699103 + upstream
> thanks
> 
> On 28/01/14 20:06, Ron wrote:
> > Yes, I think I'm a bit leery about unilaterally (and otherwise silently)
> > changing the trust path of all applications using this lib.
> 
> Fair enough, taking this bug back. It's going to have to be an upstream
> feature request, in that case.

Feel free to keep me in the cc for any discussion.  I'm not disinterested
in this, just far less certain that there is One True Answer that is
correct for all applications using the lib.  Who you trust to serve you
web pages may not be the same as who you trust to secure your comms.
And likewise who you trust may not be the same for all comms applications.

So it really seems like a per-app thing.  Having a fallback that should
be empty by default seems like a lesser wrong - but having it shared by
all apps still seems kind of wrong unless the user said they explicitly
wanted that for them.


> > I'm not all that familiar with telepathy-rakia, but most apps should
> > probably be setting this explicitly with NUTAG_CERTIFICATE_DIR or
> > similar (depending on which interface set they are using).
> 
> /**@def NUTAG_CERTIFICATE_DIR(x)
>  *
>  * X.500 certificate directory
> ...
>  * @par Values
>  *    NULL terminated pathname of directory containing agent.pem and
>    cafile.pem files.
> 
> So rakia will have to create a directory $certdir (either global or
> per-account), symlink /etc/ssl/certs/ca-certificates.crt ->
> $certdir/cafile.pem, and pass NUTAG_CERTIFICATE_DIR($certdir) to
> nua_create(). Is that correct?

Or you could just pass it the system dir directly if that's what you
want, but yeah, that's how I understand this should work (and how I
do it in my code).

The hardcoding of 'cafile.pem' and 'agent.pem' as the files it looks
for is an unfortunate limitation that I certainly wouldn't be sorry
to see fixed.  But only needing to pass a dir is one form of keeping
it 'simple' I guess.

> This seems more complicated than it needs to be, but entirely feasible.

I'm not sure what you see as complicated there?  I assume rakia already
has a mechanism for other user selectable configuration passed to this,
it just needs a cert_dir option, which may or may not have a default if
the user doesn't set it - whichever you decide is best.

The user certainly should be able to override this if they want to.

Or do you just mean having to futz around with creating the needed dir
and file structure?


> smcv wrote:
> >> The ideal solution would be if telepathy-rakia could additionally use
> >> the Telepathy ServerTLSAuthentication interface to tell UIs "this
> >> certificate looks wrong, please deal with it" - that's what
> >> telepathy-gabble does.
> 
> Does sofia-sip have any functionality for this? It would probably be an
> API intended for browser-style interactive prompting; in Telepathy we
> proxy that over D-Bus, so the application checking the cert is not
> necessarily actually interacting with the user, but we have the same
> requirements as user-interaction in terms of "must be asynchronous". I
> suspect it doesn't have this API, though?

If it does, then I'm not aware of it either, yeah.  You can set
TPTAG_TLS_VERIFY_POLICY to specify the automatic response to various
TLS failure modes, but there's no hook for an external or interactive
controller for that.

To add one, you'd probably want to look in tls_verify_cb in tport_tls.c
(which is the openssl verification callback).  Though I'm not certain
offhand exactly what that will block if it has to wait for user input
before knowing exactly how to proceed.  Hopefully it _should_ just be
that one socket connection thread.

So this should be doable.  But not without a new API hook for it.
Unless I'm missing something obvious.


  Cheers,
  Ron





Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 09:08:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.