<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 5, 2015 at 7:28 AM, Diane Trout <span dir="ltr"><<a href="mailto:diane@ghic.org" target="_blank">diane@ghic.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I discovered a non-obvious solution to a TLS issue when trying to connect to a<br>
SIP proxy.<br>
<br>
The Accounts tab just kept reporting connection failed without giving any<br>
useful feedback why. I recently discovered how to get debugging messages from:<br>
<br>
org.freedesktop.Telepathy.Connection.sofiasip.sip.<account><br>
/org/freedesktop/Telepathy/debug<br>
org.freedesktop.Telepathy.Debug.GetMessages<br>
<br>
That reported a detailed error message about failing to validate the<br>
certificate chain.<br>
<br>
I was confused as I was using a real (StartCom) certificate whose root<br>
certificate is available in both /etc/ssl/certs and KDE System Settings > SSL<br>
Preferences.<br>
<br>
I then discovered buried in the NEWS for telepathy-rakia:<br>
<br>
- Verify the validity of TLS certificates presented by SIP connection peers.<br>
This change is disruptive: it relies on root CA certificates being available<br>
to sofia-sip in the default verification path ``~/.sip/auth`` or file<br>
``~/.sip/auth/cafile.pem``, or sofia-sip changed to use OpenSSL library<br>
defaults for verification path (<a href="http://sf.net" target="_blank">sf.net</a> #3306245).<br>
The connection parameter "ignore-tls-errors" is added to disable<br>
verification.<br>
<br>
Once I stuck the root certificate in ~/.sip/auth/cafile.pem it could connect,<br>
however that's a whole host of user unfriendly problems there.<br>
<br></blockquote><div>Thanks for looking into this.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
1) ktp should give a better error message preferably about why the certificate<br>
is invalid </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
2) the "ignore-tls-errors" setting should be made visible in the advanced<br>
account configuration dialog in kde-telepathy<br></blockquote><div><br></div><div>At least this one should be easy to do.</div><div><br></div><div>If you don't have time to add this yourself could you add a bug report so it's not forgotten. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
3) there really should be some way of either setting the certificate via dbus,<br>
or at least some method to help the user put the root certificate in the right<br>
spot.<br>
<br>
(At the very least posting this should hopefully make the work-around<br>
available to search engines).<br>
<br>
Diane<br>
_______________________________________________<br>
KDE-Telepathy mailing list<br>
<a href="mailto:KDE-Telepathy@kde.org">KDE-Telepathy@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/kde-telepathy" target="_blank">https://mail.kde.org/mailman/listinfo/kde-telepathy</a><br>
</blockquote></div><br></div></div>