Summary: | kopete jabber certificate problem | ||
---|---|---|---|
Product: | [Unmaintained] kopete | Reporter: | M G Berberich <kde> |
Component: | Jabber Plugin | Assignee: | Kopete Developers <kopete-bugs-null> |
Status: | RESOLVED UNMAINTAINED | ||
Severity: | normal | CC: | kde.org_2, pacini409, sven.burmeister |
Priority: | NOR | ||
Version: | 0.12.3 | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
M G Berberich
2007-05-01 12:07:49 UTC
Same here happens to me (on server gabbler.org) ...but the warning I get says that the certificate is only self-signed (it's a CAcert) I can confirm that it's apparently not possible to add certificates to Kopete. It would be great if a dev could maybe provide a workaround or simply acknowledge that the problem exists. If that's needed, I could provide him/her with an account on a server with a working CAcert certificate. the "problem" is that kopete uses QCA which is not hooked into KDE's certificate stuff. there is no workaround. So, if I read http://websvn.kde.org/trunk/kdesupport/qca/certs/ correctly, QCA is using a hardcoded bunch of root certs, with no way to insert others at runtime? That's pretty sad, especially for a protocol like Jabber, where everyone can set up his own server, even without paying VeriSign or whoever. I know that there's the possibility to check a "no certificate warnings" box, but that is not really an option, because it makes you vulnerable against man-in-the-middle attacks and the like. There's no "permanently accept _this_ certificate" option. I don't know about the QCA API, but wouldn't it at least be possible to add a whitelist of certificate fingerprints somewhere (maybe even manually in kopeterc) and not issue a warning for those? In the long run, of course, it would be cool if QCA would be able to handle KDE's "certificate stuff" or learn new (root) certificates in any other way. I'm curious: How do other KDE apps handle SSL/TLS stuff, honouring KDE's central certificate system, and why doesn't Kopete do it that way as well? Since Psi uses QCA it should be possible to add new CA-certs, since it does work in Psi. This is really a serious issue since it makes the user ignore SSL-warnings because one is annoyed by false alarms and gets used to just clicking ok. QCA is extremely flexible with regards to the root certificates. Even QCA v1 was this way (and indeed, you could add certs into Psi 0.10 and all prior releases based on QCA v1, dating back to 2003). With QCA v2, there is additionally a notion of "system" root certificates, which gives you easy access to the root certificate storage of your operating system. If your OS does not support its own root certificates, then QCA bundles a copy of the Mozilla roots for the occasion (this is what you found in the qca/certs/ dir in SVN). It is also possible to add alternative system certificate storage support via plugins. Please note that using the system roots requires a voluntary call to QCA::systemStore(). You are totally in control of what certs count as root certs, and you can even read from your own files and build your own list at runtime, etc, just like with QCA v1. So yeah, Kopete could do this. It just doesn't. I had to write this because the comments on this bug were horrifying. :) *** This bug has been confirmed by popular vote. *** In kopete 0.12, this can't be done. The pertinent bit of code is in kopete/protocols/jabber/jabberclient.cpp: QPtrList<QCA::Cert> certStore; d->jabberTLS->setCertificateStore ( certStore ); Yes, that's an empty certificate store list. I've hacked around in QCA-TLS to get it to add the certificates in $OPENSSL/certs and I've also hacked around in kopete to get it to add the certificates from KDE's certificate store. There's also a bug where Kopete then tries to validiate the server certificate against the IM domain rather than the server hostname. This keeps it from working correctly for at least talk.google.com. I've got an awfulhack which fixes this too, but it requires changing a private mHost to public and blindly upcasting from XMPP::Connector to a JabberConnector... yikes. Would a kopete developer like patches? I'm using kopete 0.50.80 from Kubuntu packages and can't reproduce that bug here. Please update to newer version as we don't have manpower to support Kopete in KDE 3. If you still see this bug in new version please reopen this bug report. Hi, I found some the same certificate problems in the last Kopete. When I connect to talk.google.com kopete says that the certificate is invalid. I I click cancel and i try to connect again, everything works. The fact is that it doesn't even show the certificates details and i don't know how to save the certificate locally for a successive check. Regards |