clone 699103 -1 severity -1 wishlist retitle -1 interactive TLS certificate validation tags -1 + upstream retitle 699103 please use Debian ca-certificates as trust anchors by default reassign 699103 libsofia-sip-ua0 1.12.11+20110422.1-2 affects 699103 telepathy-rakia thanks
On Fri, 12 Apr 2013 at 11:01:47 -0400, Derek LaHousse wrote: > Workaround: It appears that telepathy-rakia is looking for its list of > root CAs at ~/.sip/auth or the file ~/.sip/auth/cafile.pem. I have > created ~/.sip and symlinked ~/.sip/auth to /etc/ssl/certs. In a test > set of "once", it worked without selecting "ignore TLS errors". > > It looks like that path comes from sofia-sip. > http://anonscm.debian.org/gitweb/?p=users/ron/sofia-sip.git;a=blob;f=libsofia-sip-ua/tport/tport_type_tls.c > > Would it be wrong to change sofia-sip, in debian at least, to use the > system-ca-certificates? I think that sounds like a reasonable course of action, yes. Reassigning to sofia-sip. If the maintainer of sofia-sip has some reason not to do that (please reassign back if so), it might also be possible for telepathy-rakia to set up a transient directory equivalent to ~/.sip that would do the same thing, and push in the CAfile/CApath that way. The ideal solution would be if telepathy-rakia could additionally use the Telepathy ServerTLSAuthentication interface to tell UIs "this certificate looks wrong, please deal with it" - that's what telepathy-gabble does. This delegates handling to either Empathy or kde-telepathy-auth-handler, which can use both system-wide configuration and user- and desktop-specific "cert pinning" (in gnome-keyring and KWallet), and/or prompt the user. However, I don't know whether sofia-sip has UI for that. I don't know SIP or sofia-sip as well as I'd like, and Telepathy's SIP experts (the primary authors of telepathy-rakia) are no longer active in the project, so we'd appreciate any upstream help that the VoIP team can provide. I think this is a job for "upstream first" rather than Debian-specific patches, though. S -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
