KTP TLS validation problems with SIP

[Diane Trout]

I discovered a non-obvious solution to a TLS issue when trying to connect to a 
SIP proxy.

The Accounts tab just kept reporting connection failed without giving any 
useful feedback why. I recently discovered how to get debugging messages from:

org.freedesktop.Telepathy.Connection.sofiasip.sip.<account>
 /org/freedesktop/Telepathy/debug 
 org.freedesktop.Telepathy.Debug.GetMessages

That reported a detailed error message about failing to validate the 
certificate chain.

I was confused as I was using a real (StartCom) certificate whose root 
certificate is available in both /etc/ssl/certs and KDE System Settings > SSL 
Preferences.

I then discovered buried in the NEWS for telepathy-rakia:

- Verify the validity of TLS certificates presented by SIP connection peers.
  This change is disruptive: it relies on root CA certificates being available
  to sofia-sip in the default verification path ``~/.sip/auth`` or file
  ``~/.sip/auth/cafile.pem``, or sofia-sip changed to use OpenSSL library
  defaults for verification path (sf.net #3306245).
  The connection parameter "ignore-tls-errors" is added to disable
  verification.

Once I stuck the root certificate in ~/.sip/auth/cafile.pem it could connect, 
however that's a whole host of user unfriendly problems there.

1) ktp should give a better error message preferably about why the certificate 
is invalid
2) the "ignore-tls-errors" setting should be made visible in the advanced 
account configuration dialog in kde-telepathy
3) there really should be some way of either setting the certificate via dbus, 
or at least some method to help the user put the root certificate in the right 
spot.

(At the very least posting this should hopefully make the work-around 
available to search engines).

Diane