[Pkg-telepathy-maintainers] Bug#699103: Empathy fails to connect to SIP proxy over TLS

Simon McVittie smcv at debian.org
Tue Sep 16 14:37:41 UTC 2014 

On Thu, 30 Jan 2014 at 03:52:38 +1030, Ron wrote:
> On Wed, Jan 29, 2014 at 10:59:21AM +0000, Simon McVittie wrote:
> > So rakia will have to create a directory $certdir (either global or
> > per-account), symlink /etc/ssl/certs/ca-certificates.crt ->
> > $certdir/cafile.pem, and pass NUTAG_CERTIFICATE_DIR($certdir) to
> > nua_create(). Is that correct?
> 
> Or you could just pass it the system dir directly if that's what you
> want, but yeah, that's how I understand this should work (and how I
> do it in my code).
> 
> The hardcoding of 'cafile.pem' and 'agent.pem' as the files it looks
> for is an unfortunate limitation that I certainly wouldn't be sorry
> to see fixed.  But only needing to pass a dir is one form of keeping
> it 'simple' I guess.

I tried doing the simplest thing that could possibly work -
NUTAG_CERTIFICATE_DIR("/etc/ssl/certs") - and it seems it doesn't
work unless your own private keypair is in that directory, which in
my case it isn't, because I don't have a keypair at all:

** (telepathy-rakia:18329): DEBUG: tls_init_context: private key does not match the certificate public key
** (telepathy-rakia:18329): DEBUG: tls_init_context: invalid local certificate: /etc/ssl/certs/agent.pem
** (telepathy-rakia:18329): DEBUG: tls_init_context: 140a80b1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
** (telepathy-rakia:18329): DEBUG: tls_init_context: 02001002:system library:fopen:No such file or directory
** (telepathy-rakia:18329): DEBUG: tls_init_context: 20074002:BIO routines:FILE_CTRL:system lib
** (telepathy-rakia:18329): DEBUG: tls_init_context: 140ad002:SSL routines:SSL_CTX_use_certificate_file:system lib
** (telepathy-rakia:18329): DEBUG: tls_init_context: invalid private key: /etc/ssl/certs/agent.pem

Is there a way to tell sofia-sip to use a given set of trust anchors
to validate the server's certificate, without making it try to do
client-certificate authentication?

If not, sorry, this is back to "patches welcome" status; I've already
spent longer on this than I can really justify.

Regards,
    S

More information about the Pkg-telepathy-maintainers mailing list