After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 634489 - No checkbox to remember SSL certificate if CN doesn't match
No checkbox to remember SSL certificate if CN doesn't match
Status: RESOLVED DUPLICATE of bug 636258
Product: empathy
Classification: Core
Component: Auth client
2.32.x
Other Linux
: Normal normal
: ---
Assigned To: empathy-maint
: 636218 (view as bug list)
Depends on: 636258
Blocks:
 
 
Reported: 2010-11-10 09:25 UTC by Laurent Bigonville
Modified: 2010-12-13 20:40 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Laurent Bigonville 2010-11-10 09:25:37 UTC
Hi,

Empathy doesn't propose to remember a SSL certificate if the CN (or alternative dns) doesn't match the one that is expected.

I guess this case should also be added
Comment 1 Guillaume Desmottes 2010-11-10 15:54:03 UTC
From empathy_tls_dialog_constructed:

  /* FIXME: right now we do this only if the error is SelfSigned, as we can
   * easily store the new CA cert in $XDG_CONFIG_DIR/telepathy/certs in that
   * case. For the other errors, we probably need a smarter/more powerful
   * certificate storage.
   */
  if (priv->reason == EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED)
    /* Add remember checkbox */

As said in the comment, atm we only display the remember checkbox if the certificate has been rejected because it's self signed.

Cosimo: what's the reason of this? That's because certificates in $XDG_CONFIG_DIR/telepathy/certs are not threated in any different way and just "sourced" with system certificates?

Would we be able to solve this issue by treating $XDG_CONFIG_DIR/telepathy/certs as a "white" list of certificates instead?
Comment 2 Cosimo Cecchi 2010-11-10 16:46:48 UTC
(In reply to comment #1)

> Cosimo: what's the reason of this? That's because certificates in
> $XDG_CONFIG_DIR/telepathy/certs are not threated in any different way and just
> "sourced" with system certificates?
> 
> Would we be able to solve this issue by treating
> $XDG_CONFIG_DIR/telepathy/certs as a "white" list of certificates instead?

That's basically because of the way the X.509 certificate trust chain works: when you get a certificate chain from a server you check each certificate against the next one, and the last before the CA one against the trusted Certification Authority certificates you have on your computer, which are by definition self-signed by the authority itself and "blindly" trusted.
When you get a self-signed error, it means that the last certificate in the chain is self-signed, but it's not a CA you already have in your list, so "saving the preference" in that case is as easy as copying that certificate in a trusted directory, so that the next time the same chain is verified, the last cert before the CA one will be verified against the cert we saved.

For cases which the error is not self-signed, it's not sufficient to store the CA, as the error lies somewhere else, so you need to actually store an exception somewhere, a bit like firefox does.
The best place to store that assertion would be gnome-keyring. I know there has been some work going on here [1] to allow that (and much more). CC-ing Stef to understand better. Otherwise you could probably store the certificate itself as a proof of exception in a directory, and try to match fingerprints of such exceptions when you connect again to a server.

[1] http://git.gnome.org/browse/gnome-keyring/log/?h=trust-store and basically http://git.gnome.org/browse/gnome-keyring/tree/gcr/gcr-trust.h?h=trust-store
Comment 3 Guillaume Desmottes 2010-11-15 09:28:54 UTC
bug #634891 is about self signed certificates not having the CA flag.
Comment 4 Paul Tagliamonte 2010-12-01 15:46:44 UTC
*** Bug 636218 has been marked as a duplicate of this bug. ***
Comment 5 Stef Walter 2010-12-13 20:40:34 UTC
This will be fixed by bug #636258.

*** This bug has been marked as a duplicate of bug 636258 ***