[Pkg-telepathy-maintainers] Bug#699103: Empathy fails to connect to SIP proxy over TLS
Simon McVittie
smcv at debian.org
Mon Jan 27 13:37:12 UTC 2014
clone 699103 -1
severity -1 wishlist
retitle -1 interactive TLS certificate validation
tags -1 + upstream
retitle 699103 please use Debian ca-certificates as trust anchors by default
reassign 699103 libsofia-sip-ua0 1.12.11+20110422.1-2
affects 699103 telepathy-rakia
thanks
On Fri, 12 Apr 2013 at 11:01:47 -0400, Derek LaHousse wrote:
> Workaround: It appears that telepathy-rakia is looking for its list of
> root CAs at ~/.sip/auth or the file ~/.sip/auth/cafile.pem. I have
> created ~/.sip and symlinked ~/.sip/auth to /etc/ssl/certs. In a test
> set of "once", it worked without selecting "ignore TLS errors".
>
> It looks like that path comes from sofia-sip.
> http://anonscm.debian.org/gitweb/?p=users/ron/sofia-sip.git;a=blob;f=libsofia-sip-ua/tport/tport_type_tls.c
>
> Would it be wrong to change sofia-sip, in debian at least, to use the
> system-ca-certificates?
I think that sounds like a reasonable course of action, yes.
Reassigning to sofia-sip.
If the maintainer of sofia-sip has some reason not to do that (please
reassign back if so), it might also be possible for telepathy-rakia to
set up a transient directory equivalent to ~/.sip that would do the same
thing, and push in the CAfile/CApath that way.
The ideal solution would be if telepathy-rakia could additionally use
the Telepathy ServerTLSAuthentication interface to tell UIs "this
certificate looks wrong, please deal with it" - that's what
telepathy-gabble does. This delegates handling to either Empathy or
kde-telepathy-auth-handler, which can use both system-wide configuration and
user- and desktop-specific "cert pinning" (in gnome-keyring and KWallet),
and/or prompt the user. However, I don't know whether sofia-sip has
UI for that.
I don't know SIP or sofia-sip as well as I'd like, and Telepathy's SIP experts
(the primary authors of telepathy-rakia) are no longer active in the project,
so we'd appreciate any upstream help that the VoIP team can provide.
I think this is a job for "upstream first" rather than Debian-specific
patches, though.
S
More information about the Pkg-telepathy-maintainers
mailing list