Hi, On Mon, Jan 27, 2014 at 01:37:12PM +0000, Simon McVittie wrote: > On Fri, 12 Apr 2013 at 11:01:47 -0400, Derek LaHousse wrote: > > Workaround: It appears that telepathy-rakia is looking for its list of > > root CAs at ~/.sip/auth or the file ~/.sip/auth/cafile.pem. I have > > created ~/.sip and symlinked ~/.sip/auth to /etc/ssl/certs. In a test > > set of "once", it worked without selecting "ignore TLS errors". > > > > It looks like that path comes from sofia-sip. > > http://anonscm.debian.org/gitweb/?p=users/ron/sofia-sip.git;a=blob;f=libsofia-sip-ua/tport/tport_type_tls.c > > > > Would it be wrong to change sofia-sip, in debian at least, to use the > > system-ca-certificates? > > I think that sounds like a reasonable course of action, yes. > Reassigning to sofia-sip. > > If the maintainer of sofia-sip has some reason not to do that (please > reassign back if so), it might also be possible for telepathy-rakia to > set up a transient directory equivalent to ~/.sip that would do the same > thing, and push in the CAfile/CApath that way.
Yes, I think I'm a bit leery about unilaterally (and otherwise silently) changing the trust path of all applications using this lib. Though to be honest, I'm also a bit disturbed that this fallback to a path under $HOME exists at all really. If anything, I'd be inclined to completely remove that, though that decision would also need more thought and consultation with other users than I've given it so far. I really think this should be something that individual applications set explicitly for themselves - though having them use the system cert dir by default may or may not be a reasonable choice for particular apps. > The ideal solution would be if telepathy-rakia could additionally use > the Telepathy ServerTLSAuthentication interface to tell UIs "this > certificate looks wrong, please deal with it" - that's what > telepathy-gabble does. This delegates handling to either Empathy or > kde-telepathy-auth-handler, which can use both system-wide configuration and > user- and desktop-specific "cert pinning" (in gnome-keyring and KWallet), > and/or prompt the user. However, I don't know whether sofia-sip has > UI for that. I'm not all that familiar with telepathy-rakia, but most apps should probably be setting this explicitly with NUTAG_CERTIFICATE_DIR or similar (depending on which interface set they are using). If they do that, then the fallback to ~/.sip/auth should never be used at all. How they do that, and how they let users change it if they wish to, is again probably best as a per-app thing (unless the app is part of some suite that shares that sort of config). > I don't know SIP or sofia-sip as well as I'd like, and Telepathy's SIP experts > (the primary authors of telepathy-rakia) are no longer active in the project, > so we'd appreciate any upstream help that the VoIP team can provide. > I think this is a job for "upstream first" rather than Debian-specific > patches, though. Does setting the cert dir with that tag seem like it would be a problem for Telepathy? I'm certainly willing to consider other ideas and input, but this is my first impression based on what I know so far. Cheers, Ron -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
