KTP TLS validation problems with SIP

David Edmundson david at davidedmundson.co.uk
Mon Jan 5 15:43:17 UTC 2015 

On Mon, Jan 5, 2015 at 7:28 AM, Diane Trout <diane at ghic.org> wrote:

> I discovered a non-obvious solution to a TLS issue when trying to connect
> to a
> SIP proxy.
>
> The Accounts tab just kept reporting connection failed without giving any
> useful feedback why. I recently discovered how to get debugging messages
> from:
>
> org.freedesktop.Telepathy.Connection.sofiasip.sip.<account>
>  /org/freedesktop/Telepathy/debug
>  org.freedesktop.Telepathy.Debug.GetMessages
>
> That reported a detailed error message about failing to validate the
> certificate chain.
>
> I was confused as I was using a real (StartCom) certificate whose root
> certificate is available in both /etc/ssl/certs and KDE System Settings >
> SSL
> Preferences.
>
> I then discovered buried in the NEWS for telepathy-rakia:
>
> - Verify the validity of TLS certificates presented by SIP connection
> peers.
>   This change is disruptive: it relies on root CA certificates being
> available
>   to sofia-sip in the default verification path ``~/.sip/auth`` or file
>   ``~/.sip/auth/cafile.pem``, or sofia-sip changed to use OpenSSL library
>   defaults for verification path (sf.net #3306245).
>   The connection parameter "ignore-tls-errors" is added to disable
>   verification.
>
> Once I stuck the root certificate in ~/.sip/auth/cafile.pem it could
> connect,
> however that's a whole host of user unfriendly problems there.
>
> Thanks for looking into this.


> 1) ktp should give a better error message preferably about why the
> certificate
> is invalid

2) the "ignore-tls-errors" setting should be made visible in the advanced
> account configuration dialog in kde-telepathy
>

At least this one should be easy to do.

If you don't have time to add this yourself could you add a bug report so
it's not forgotten.


> 3) there really should be some way of either setting the certificate via
> dbus,
> or at least some method to help the user put the root certificate in the
> right
> spot.
>
> (At the very least posting this should hopefully make the work-around
> available to search engines).
>
> Diane
> _______________________________________________
> KDE-Telepathy mailing list
> KDE-Telepathy at kde.org
> https://mail.kde.org/mailman/listinfo/kde-telepathy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-telepathy/attachments/20150105/2680a105/attachment.html>

More information about the KDE-Telepathy mailing list