Bug 23491 - Untrusted SSL certificates are handled badly; should implement interactive certificate verification channels
Summary: Untrusted SSL certificates are handled badly; should implement interactive ce...
Status: RESOLVED MOVED
Alias: None
Product: Telepathy
Classification: Unclassified
Component: haze (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: Telepathy bugs list
QA Contact: Telepathy bugs list
URL:
Whiteboard:
Keywords:
: 18271 19018 (view as bug list)
Depends on: 29018
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-24 13:12 UTC by Chris Crisafulli
Modified: 2019-12-03 20:05 UTC (History)
7 users (show)

See Also:
i915 platform:
i915 features:


Attachments
This is the version info Ubuntu I'm running, and package versioning info (795 bytes, text/plain)
2009-08-24 13:12 UTC, Chris Crisafulli
Details
ugly workaround (4.54 KB, patch)
2011-06-10 05:01 UTC, Frederic Crozat
Details | Splinter Review
0.8-cert-workaround.patch (4.44 KB, patch)
2013-11-22 16:39 UTC, Maksim Melnikau
Details | Splinter Review
certificate.workaround.patch (3.85 KB, patch)
2015-10-15 23:58 UTC, Leonardo
Details | Splinter Review

Description Chris Crisafulli 2009-08-24 13:12:45 UTC
Created attachment 28888 [details]
This is the version info Ubuntu I'm running, and package versioning info

Expected Behavior: Once you open empathy. Go to Accounts and create a Groupwise
Messenger Account. After closing the created account, you should be connected to
Groupwise Messenger Server without any required further actions on the Users
Part.

What Actually Occurs: The Groupwise Messenger account is created, but does not
open/connect. If you go back to the accounts area you will see that the
Groupwise Messenger account icon indicator is flashing, which alerts that there
is an issue with the account not connecting properly.

Discovered Workaround: cp
~/.purple/certificates/x509/tls_peers/<gwmessenger_servername>
/tmp/haze-<random_generated_per_session>/certificates/x509/tls_peers

It seems as though when a new empathy session is started, a new
/tmp/-haze-<random_generated_per_session>/certificates/x509/tls_peers is
created.

The groupwise session certificate needs to by copied from the
~/.purple/certificates/x509/tls_peers directory to the /tmp/haze- directory
generated with the connection.

The Current version I am using is from the Ubuntu Daily PPA 2.27.5, but this
has occurred in all of the earlier versions that I have tried. This is not
limited to the packaged versions from Ubuntu as this occurs in OpenSuse 11 and
Fedora too, at least in a virtual environment.

Please let me know if this isn't clear enough or more information is needed.

Thanks for your all of your time and effort with Empathy!

Chris Crisafulli
Comment 1 Brandon 2009-11-10 15:58:57 UTC
I am experiencing this as well...it is pretty annoying, running ubuntu 9.10 x64. Empathy version 2.28.1.1-0ubuntu1, telepathy-haze version 0.3.2-1

Is this related to bug 17907?
Comment 2 Alan McGovern 2010-09-06 01:33:52 UTC
Same issue with the latest empathy (2.30.1) in OpenSUSE 11.3. Is there any chance at all that this issue can be fixed? If the real fix is to simply copy the certificate to the correct path as described in the bug report, that's only a couple of lines of code including error checking. Could that not just be added?
Comment 3 Alan McGovern 2010-09-06 02:09:36 UTC
Just some further info:

If I try to connect using Pidgin, I get presented with a prompt about receiving an untrusted certificate. I have the option to accept it or reject it. I'm told what needs to be done is to update empathy/haze to present a similar dialog when it tries to access the groupwise server.
Comment 4 Will Thompson 2010-09-06 02:14:12 UTC
As discussed on IRC, the correct solution is not to copy certificates around wildly; it's to implement the API discussed on bug 29018.
Comment 5 Will Thompson 2010-09-06 02:15:32 UTC
*** Bug 19018 has been marked as a duplicate of this bug. ***
Comment 6 Frederic Crozat 2011-06-10 04:05:02 UTC
*** Bug 18271 has been marked as a duplicate of this bug. ***
Comment 7 Frederic Crozat 2011-06-10 05:01:13 UTC
Created attachment 47806 [details] [review]
ugly workaround

I've stripped Will Thompson "work in progress" patch for certs, which only tries to copy certs from ~/.local/share/telepathy-haze/certificates/ to haze session directory and it "works" as expected.

This is clearly a workaround until certificate API are implemented in haze
Comment 8 Bilal shahid 2012-04-08 02:47:28 UTC
any work around on this ?
Comment 9 Maksim Melnikau 2013-11-22 16:39:40 UTC
Created attachment 89647 [details] [review]
0.8-cert-workaround.patch

cert workaround patch reworked for telepathy-haze-0.8.0
Comment 10 Pacho Ramos 2013-12-24 13:36:23 UTC
Any updates here?
Comment 11 Simon McVittie 2014-01-03 14:11:05 UTC
(In reply to comment #10)
> Any updates here?

Not until/unless...

(In reply to comment #4)
> As discussed on IRC, the correct solution is not to copy certificates around
> wildly; it's to implement the API discussed on bug 29018.

... someone does that, and puts the result here for review.

(I don't currently have time to implement that, and am not volunteering.)
Comment 12 Iven Hsu 2014-09-05 07:36:25 UTC
For those who facing this issue, you don't have to copy the certificates every time you login.

Just copy the certificates from `~/.purple/certificates/x509/tls_peers/<servername>` to `/etc/ssl/certs/<servername>.pem`, and kill the telepathy-haze process using `pkill telepathy-haze`.

Disable and re-enable your account, and you'll login successfully.
Comment 13 Leonardo 2015-10-15 23:56:15 UTC
Hi, guys first of all, I am not a C programmer, so I changed the source a little bit, to telepathy-haze won't use /tmp/haze-xxxx/ directory to handle the certificates anymore, so instead off use the home directory ~/.haze/

Download the source code 0.8.0
Apply de patch on main.c

The procedure is copy once all certificates to ~/.haze/certificates/x509/tls_peers/

and start the telepathy...

I hope this help..

PS: Sorry about my english...
Comment 14 Leonardo 2015-10-15 23:58:56 UTC
Created attachment 118909 [details] [review]
certificate.workaround.patch

telepathy-haze 0.8.0 path certificates
Comment 15 GitLab Migration User 2019-12-03 20:05:33 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/telepathy/telepathy-haze/issues/19.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.