GNOME Bugzilla – Bug 634489
No checkbox to remember SSL certificate if CN doesn't match
Last modified: 2010-12-13 20:40:34 UTC
Hi, Empathy doesn't propose to remember a SSL certificate if the CN (or alternative dns) doesn't match the one that is expected. I guess this case should also be added
From empathy_tls_dialog_constructed: /* FIXME: right now we do this only if the error is SelfSigned, as we can * easily store the new CA cert in $XDG_CONFIG_DIR/telepathy/certs in that * case. For the other errors, we probably need a smarter/more powerful * certificate storage. */ if (priv->reason == EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED) /* Add remember checkbox */ As said in the comment, atm we only display the remember checkbox if the certificate has been rejected because it's self signed. Cosimo: what's the reason of this? That's because certificates in $XDG_CONFIG_DIR/telepathy/certs are not threated in any different way and just "sourced" with system certificates? Would we be able to solve this issue by treating $XDG_CONFIG_DIR/telepathy/certs as a "white" list of certificates instead?
(In reply to comment #1) > Cosimo: what's the reason of this? That's because certificates in > $XDG_CONFIG_DIR/telepathy/certs are not threated in any different way and just > "sourced" with system certificates? > > Would we be able to solve this issue by treating > $XDG_CONFIG_DIR/telepathy/certs as a "white" list of certificates instead? That's basically because of the way the X.509 certificate trust chain works: when you get a certificate chain from a server you check each certificate against the next one, and the last before the CA one against the trusted Certification Authority certificates you have on your computer, which are by definition self-signed by the authority itself and "blindly" trusted. When you get a self-signed error, it means that the last certificate in the chain is self-signed, but it's not a CA you already have in your list, so "saving the preference" in that case is as easy as copying that certificate in a trusted directory, so that the next time the same chain is verified, the last cert before the CA one will be verified against the cert we saved. For cases which the error is not self-signed, it's not sufficient to store the CA, as the error lies somewhere else, so you need to actually store an exception somewhere, a bit like firefox does. The best place to store that assertion would be gnome-keyring. I know there has been some work going on here [1] to allow that (and much more). CC-ing Stef to understand better. Otherwise you could probably store the certificate itself as a proof of exception in a directory, and try to match fingerprints of such exceptions when you connect again to a server. [1] http://git.gnome.org/browse/gnome-keyring/log/?h=trust-store and basically http://git.gnome.org/browse/gnome-keyring/tree/gcr/gcr-trust.h?h=trust-store
bug #634891 is about self signed certificates not having the CA flag.
*** Bug 636218 has been marked as a duplicate of this bug. ***
This will be fixed by bug #636258. *** This bug has been marked as a duplicate of bug 636258 ***