Bug 690971 – Empathy rejects XMPP certificate chain

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 690971 - Empathy rejects XMPP certificate chain


Summary:	Empathy rejects XMPP certificate chain


Status:	RESOLVED OBSOLETE

Product:	empathy
Classification:	Core
Component:	Auth client
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	empathy-maint
QA Contact:	empathy-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-01-02 01:35 UTC by nh2
Modified:	2018-05-22 15:55 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description nh2 2013-01-02 01:35:01 UTC

I run a Prosody XMPP server with a class 2 certificate from Startcom.

When connecting, Empathy tells me that the server identity cannot be verified because the certificate is self-signed (which is wrong).

The main errors are:

perform_verification_cb: Building of certificate chain failed: Couldn't initialize registered PKCS#11 modules: Ein Fehler ist auf dem Gerät aufgetreten

("An error occurred on the device")

verifier_verify_cb: Error: TLS verification failed with reason 6

The full debug log is at http://pastebin.com/SCCb14QY and attached.

I'm running this Empathy on Ubuntu 12.04. Pidgin and Gajim accept the certificate without problem. I could reproduce this on two computers running identical versions.

Do you have an idea why this happens?

Thank you!

Comment 1 nh2 2013-01-02 01:37:51 UTC

It seems to be related to this bug: https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/828756

Comment 2 Guillaume Desmottes 2013-01-02 14:51:14 UTC

Which version of gnome-keyring are you using?

Stef: any idea?

Comment 3 Stef Walter 2013-01-03 15:05:35 UTC

Which version of gcr are you running?

Could you run the following (before trying to connect) and see if any other errors are printed:

$ GCK_DEBUG=all GCR_DEBUG=all /usr/libexec/empathy-auth-client

I'm not excatly sure what sort of misconfiguration is causing the actual error. But in reality we shouldn't be failing for errors pinned certificates or anchors from PKCS#11 if the certificates are already otherwise valid. In other words we could choose not to propagate errors here (and instead just let the building continue, which may fail verification, if data is indeed unloadable and missing):

http://git.gnome.org/browse/gcr/tree/gcr/gcr-certificate-chain.c#n254

But more to the point, I thought gabble does its own certificate verification using the default certificate bundle, and only hands it off to empathy-auth-client in the case of a failure. Is that still the case?

Comment 4 Tobias Mueller 2013-05-14 08:24:31 UTC

nh2, can you also try to get the certificates involved using wocky-dump-certificates from the wocky git repository?

Comment 5 GNOME Infrastructure Team 2018-05-22 15:55:00 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/empathy/issues/621.