Bug 641121 – Empathy ask to confirm certificate even if it is trusted in system stash

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 641121 - Empathy ask to confirm certificate even if it is trusted in system stash


Summary:	Empathy ask to confirm certificate even if it is trusted in system stash


Status:	RESOLVED FIXED

Product:	empathy
Classification:	Core
Component:	Auth client
Version:	2.91.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	empathy-maint
QA Contact:

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2011-02-01 11:05 UTC by Laurent Bigonville
Modified:	2011-03-07 14:08 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
jabber.belnet.be certificate (5.45 KB, text/plain) 2011-02-01 11:11 UTC, Laurent Bigonville	Details
empathy-auth-client logs (30.83 KB, text/plain) 2011-02-01 13:53 UTC, Laurent Bigonville	Details

Description Laurent Bigonville 2011-02-01 11:05:32 UTC

Hi,

When connecting to jabber.belnet.be empathy ask me to confirm the identity of the certificate. This certificate is trusted in the system certificates stash (/etc/ssl/certs in debian/ubuntu).

openssl s_client -connect jabber.belnet.be:5222 -CApath /etc/ssl/certs -starttls xmpp

returns "Verify return code: 0 (ok)" which means that the chain of trust is OK

Version: empathy 2.91.5.1, gnome-keyring 2.91.4 and telepathy-gabble 0.11.6

Comment 1 Laurent Bigonville 2011-02-01 11:11:38 UTC

Created attachment 179779 [details]
jabber.belnet.be certificate

The CN is westvleteren.belnet.be but an ALT NAME is defined as jabber.belnet.be

Comment 2 Laurent Bigonville 2011-02-01 13:53:13 UTC

Created attachment 179792 [details]
empathy-auth-client logs

I can see this in the logs

(empathy-auth-client:17343): empathy-DEBUG: abort_verification: Verification error 6, aborting...
(empathy-auth-client:17343): empathy-DEBUG: verifier_verify_cb: Error: TLS verification failed with reason 6

Comment 3 Frederic Crozat 2011-02-18 09:33:24 UTC

similar issue with Google Talk server

Comment 4 Stef Walter 2011-02-28 14:51:28 UTC

I think this in the logs shows us what the problem may be:

** (empathy-auth-client:17343): WARNING **: couldn't parse /etc/xdg/pkcs11.conf.defaults file: Aucun fichier ou dossier de ce type

Does this fix (to gnome-keyring) help? bug #643491

Comment 5 Stef Walter 2011-03-01 09:23:20 UTC

Bug #643491 is now merged into gnome-keyring. This should fix the problem. Please reopen if it doesn't. Thanks!

Comment 6 Laurent Bigonville 2011-03-01 14:11:30 UTC

This doesn't look fixed, reopening.

Comment 7 Laurent Bigonville 2011-03-01 15:23:38 UTC

looks like gcr_certificate_chain_get_status() is wrongly returning GCR_CERTIFICATE_CHAIN_SELFSIGNED

Comment 8 Stef Walter 2011-03-02 18:10:19 UTC

Okay, should be fixed in gnome-keyring master now. Was a upper/lower case mismatch in the URI. *blush*

commit 32612934c1ae47376c5197bcb79742ff3df00094
Author: Stef Walter <stefw@collabora.co.uk>
Date:   Wed Mar 2 19:01:43 2011 +0100

    Make the library-manufacturer in the trust uris actually match.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=641121


Could you verify that it now works for you? And then we'll close this ticket.

Comment 9 Laurent Bigonville 2011-03-07 14:08:52 UTC

Ok this is fixed, part of the problem was missing PKCS11 module