[Pkg-xmpp-devel] Bug#972215: Bug#972215: gajim: Cannot connect to host with untrusted certificate

Thu Oct 15 22:42:37 BST 2020

Hi,

Le 14/10/2020 à 23:58, Martin a écrit :
> On 2020-10-14 19:06, Colomban Wendling wrote:
>> What I get is a popup telling me the certificate authority is unknown
>> (which is expected here, it's self-signed), and allowing me to see the
>> cert and to add it to the list of trusted certificates.  However, doing
>> so does not work, and the dialog pops up again and again and again,
>> effectively preventing any connection to that account.
>>
>> This actually renders Gajim unusable for me as I cannot connect to any
>> of my accounts.
> 
> I'm not aware of that issue, but I use letsencrypt for my
> servers. I wonder, whether this is related to
> "ignore_ssl_errors no longer works with Gajim 1.2.2"
> (https://dev.gajim.org/gajim/gajim/-/issues/10237)?
> 
> However, there the certificate is not only self-signed, but also
> erroneous (wrong host or outdated). Could you comment here,
> whether this is the case with your certificates?

I checked with the server maintainer, and indeed the domains I use did
not appear in the CN or SAN of the cert the server presented my client.
 I don't think this should have prevented me from manually validating
its use (as I actually did check it in person, so I am positive that's
the right cert no matter what its metadata say), but it indeed wasn't
state-of-the-art.

I see on that linked report someone saying:

> Gajim supports self signed certificates, but what you sign must be
> correct. Otherwise you can just use no certificate at all.

I cannot second that kind of reasoning: yes, maybe it could be made
harder to accept an "invalid" certificate to lower the risk of a naive
user blindly clicking through in case of a MiM attack, but there is no
world where untrusted encryption is worse than clear communication.
Again in my case I checked the certificate is actually the right one
with a fully trusted side channel, so the metadata don't matter.

> If your certificate is correct, but it still does not work, you
> might like to try that, given you have root accesss:
> 
> Add the self-signed certificate to the system, IIRC, by storing
> the certificate file under /usr/local/share/ca-certificates/ and
> run update-ca-certificates. Then restart Gajim. Does that help?

I had to manually add it to /etc/ssl/certs/ca-certificates.crt, but I
finally got it in.  This changed the error, now telling me "the
certificate does not match the expected identity of the site" -- which
is fair, yet I still don't think it should be a hard, unrecoverable error.

Anyway, the cert has now been updated to present the proper CN for the
domains I use, so I can connect again to my accounts with Gajim (after
validating the self-signed cert twice for some reason).  But I hardly
think a missing CN/SAN is a good reason to prevent any encrypted
communication.  Any encryption is better than none in all cases -- even
if encrypting for a MiM.  I'm saddened by this whole misconception that
encryption and signatures are the same thing and that the former is
useless without the latter.

And in any case, regardless of the above, the UI should be fixed not to
lead to a infinite loop of dialogs, and to properly reflect what the
actual problem is.

Regards,
Colomban