empathy does not display certificate error, interface for importing certificates missing

Bug #480791 reported by Mitja Kleider on 2009-11-11
62
This bug affects 11 people
Affects Status Importance Assigned to Milestone
Empathy
Expired
Wishlist
meta-telepathy
Fix Released
Medium
empathy (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: empathy

Ubuntu 9.10

$ dpkg -s empathy
Version: 2.28.1.1-0ubuntu1

Try to connect empathy to a server via SSL/TLS which provides an untrusted certificate.
Empathy will report "Network error" without further information.

Empathy does not provide any way to import the certificate. The only option available in account settings is to ignore any certificate error (allowing man-in-the-middle attacks).

When exchanging certificates, either during a server handshake, or an E2E handshake, there needs to be an API that would expose the certificate verification procedure to end-clients so that they could render the process interactive and allow the user to perform a "leap of faith".

A branch of wocky that is accommodating the implementation of this is here:
http://git.collabora.co.uk/?p=user/eitan/wocky.git;a=summary

A telepathy-gabble branch is soon to follow..

Omer Akram (om26er) wrote :

reported it upstream but i think its a feature request that doesnot exist in empathy or might already exist in 2.29.x any one plz mark this wishlist and of low importance

Changed in empathy (Ubuntu):
assignee: nobody → Ubuntu Desktop Bugs (desktop-bugs)
importance: Undecided → Low
status: New → Triaged

Note that the debug log doesn't even mention anything about ssl or certificates, at least when trying to connect to a jabber server that requires TLS. Just a generic "network error" message is given which seems to imply a TCP/IP problem. So no users will know that they have to go Edit -> Accounts -> Advanced -> "Ignore SSL certificate errors" unless they are psychic.

Also, if you go to google and start typing "empathy jabber", the only autocompletion that google gives is "empathy jabber network error", with 16,000 hits.

Anyway, the link to the upstream bug is https://bugzilla.gnome.org/show_bug.cgi?id=606535

Updated spec is here:
http://git.collabora.co.uk/?p=user/eitan/telepathy-spec.git;a=summary

Gabble implementation is here:
http://git.collabora.co.uk/?p=user/eitan/telepathy-gabble.git;a=summary

Wocky changes are here:
http://git.collabora.co.uk/?p=user/eitan/wocky.git;a=summary

This all works together, awaiting review and cosimoc's XTLS implementation.

Changed in empathy:
status: Unknown → Confirmed
miq (miq601) wrote :

"network error" message occurs when a jabber server certificate changes. There is no simple way to delete the old certificate. "Ignore SSL certificate errors" does not work in this case.

Laurent Bigonville (bigon) wrote :

@miq well the certificate is not stored by any telepathy components. So I guess the issue is else where

I am working on another approach for this, outlined here:

http://lists.freedesktop.org/archives/telepathy/2010-June/004621.html

Updated spec branch is here

http://git.collabora.co.uk/?p=user/cosimoc/telepathy-spec.git;a=shortlog;h=refs/heads/xtls-proposal

I yet have to implement it in Gabble.

MBybee (mike-bybee) wrote :

Still getting this issue as of August 3rd, hope someone has a workaround!

MBybee (mike-bybee) wrote :

For 'edit->accounts->advanced' on TLS OCS account, there is no 'ignore SSL certificate errors' selection as of Ubuntu 10.04, Empathy 2.30.2

Changed in meta-telepathy:
importance: Unknown → Medium
status: Unknown → In Progress
Changed in empathy:
importance: Unknown → Wishlist
nh2 (nh2) wrote :

Freedesktop upstream says this has been resolved, see org.freedesktop.Telepathy.Channel.Type.ServerTLSConnection. Not sure what this means, is it just a change in telepathy which still requires empathy to do some UI stuff?

Changed in meta-telepathy:
importance: Medium → Unknown
status: In Progress → Fix Released
Changed in meta-telepathy:
importance: Unknown → Medium
Omer Akram (om26er) on 2011-07-18
Changed in empathy (Ubuntu):
assignee: Ubuntu Desktop Bugs (desktop-bugs) → nobody
Changed in empathy:
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.