empathy throws untrusted certificate warning on google chat services using google apps (non-google domains)

affects me too on Xubuntu 10.10 beta.

Thanks for your bug report and helping to make Ubuntu better. This is probably a jabber issue. First if you haven't, try it with jabber and not google talk and see if yu can reproduce this. Secondly, please provide telepathy logs (done by going to Help-->Debug and selecting gabble.) after reproducing this issue.

I believe this is because the certificate is signed for Google and not for the end user domain. So is this not expected behaviour?

No, this is not the expected behaviour. In Ubuntu 10.04, this warning did not appear. This error seems to be restricted to Google Talk accounts hosted through Google Apps, which allows the use of one's own domain name. The certificate served by Google however has the talk.google.com domain name, which doesn't match the actual domain name, so the warning is shown.

I'm not sure why this has suddenly started happening in Maverick. I've attached the gabble debug log.

Regards
David

I have discovered a workaround: In Empathy > Edit > Accounts, check "Ignore SSL certificate errors" for each Google Apps Talk account. This suppresses the warning. However, this is not an ideal solution.

I had to also check "Use old SSL" as my Gtalk account said "Network Error" without that checked. No idea why but as the "override Server Settings" part of the dialogue says to use talk.google.com the cert error should not appear (the cert is from that server)

I have this problem as well. This is with a jabber account configured to use the server talk.google.com.

It's not a Google specific problem. We use a perfectly sound CAcert certificate and suddenly, on upgrade to Maverick, this warning started appearing. Really annoying. As stated above, "ignore SSL errors" is not ideal; there's nothing wrong with the cert. So, maybe there's a problem with the root certificate chains now, or the GIO code which walks them?

AfC

the client must validate the name of the host in SRV, not against the domain name using it

@Brian Curtis: the requested log (gabble) includes personal information so It can not be posted here. who should I mail it to?

This problem is still occuring, for any Jabber account where the server name in the certificate is not exactly the same as the Jabber domain name being used.

E.g. you have a valid certificate for jabber.example.com, which serves @example.com accounts. When you connect, you get:

The identity provided by the chat server cannot be verified.
The hostname verified by the certificate doesn't match the server name.
Expected hostname: example.com
Certificate hostname: jabber.example.com

There are two problems here.

First, empathy is ignoring the fact that Jabber service for example.com has been properly delegated to jabber.example.com via a SRV record:

_xmpp-server._tcp.example.com has SRV record 0 0 5269 jabber.example.com

Secondly, although the user is allowed to accept this mismatch, empathy does not remember this decision, so the problem recurs at every reconnect.

thanks for the bug report. please attach a screenshot of the issue so that we could send it to people writing the software.

Here's a screenshot of the issue on 10.10 for me:

Screenshot running under maverick.

I have a hunch about what's going on here. I suspect that Telepathy is not using the custom server setting. I have experienced this myself. When I set up my account, I tell it to use <email address hidden> with the server jabber.domain.org. However, when it attempts to connect, it connects to domain.org! jabber.domain.org is an A record, not a CNAME. Empathy then complains that the certificate says jabber.domain.org when it expected domain.org. This is in Natty, by the way. My only Maverick machines run Kubuntu, so I use Kopete there. It connects without complaint.

Also, Pidgin connects without complaint on the same machine on which Empathy fails.

Hmm...since jabber.domain.org and domain.org have the same IP address, I guess lsof -i isn't a good way to determine what telepathy-gabble/empathy thinks it's connecting to. Durr...I should have known better than that. New hunch: Telepathy is using the custom server setting (or SRV record) to determine what to connect to, but it is not updating the TLS verifier accordingly.

So, after a conversation with sjoerd on #empathy, it looks like it is the developers' intent that empathy expect a certificate from domain.org when connecting to the account <email address hidden>, even if the actual server being connected to is jabber.domain.org. I think the same thing is happening with Google Talk for Google Apps domains. I have a hard time accepting this as the correct way to handle this, especially since Pidgin and Kopete don't complain.

Everybody having trouble with Google Talk using a Google Apps domain account, try Pidgin and Kopete. If they both connect without complaint, then I would say that is evidence that Empathy is doing the wrong thing.

Bah! Take a look at item 8 in section 5.1 of the XMPP spec (http://xmpp.org/rfcs/rfc3920.html#tls):
"Certificates MUST be checked against the hostname as provided by the initiating entity (e.g., a user), not the hostname as resolved via the Domain Name System; e.g., if the user specifies a hostname of "example.com" but a DNS SRV (Gulbrandsen, A., Vixie, P., and L. Esibov, “A DNS RR for specifying the location of services (DNS SRV),” February 2000.) [SRV] lookup returned "im.example.com", the certificate MUST be checked as "example.com". If a JID for any kind of XMPP entity (e.g., client or server) is represented in a certificate, it MUST be represented as a UTF8String within an otherName entity inside the subjectAltName, using the [ASN.1] (CCITT, “Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1),” 1988.) Object Identifier "id-on-xmppAddr" specified in Section 5.1.1 (ASN.1 Object Identifier for XMPP Address) of this document. "

In other words, when Empathy/Telepathy attempts to connect as <email address hidden>, it is right to check for a certificate for gappdomain.com instead of talk.google.com.

So, the real question here is this: should Empathy/Telepathy bend the rules here? I think it would be reasonable to accept a certificate for the domain specified in the Jabber ID _OR_ the server we are actually connecting to.

More from sjoerd: apparently, the Google Talk people have been working with the XMPP spec people to resolve this issue. Hopefully, this will get resolved eventually. Until then, I don't think upstream will be inclined to work around it, so perhaps Ubuntu should carry a patch? Perhaps we could restrict the "accept either certificate" behavior to Google Talk accounts.

As per comment #19, I tested pidgin. It gave an equivalent error about not being able to validate the certificate, see screenshot

thank you Alex (#21) - I got the same issue here on Natty (Ubuntu 11.04) - any updates? will there be a patch soon?

Confirmed for last 11.10

I can also confirm for 11.10.

Same here on 11.10

probably its duplicate of https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/828756

[Expired for empathy (Ubuntu) because there has been no activity for 60 days.]

Hi,

I know that it's an old bug report but I've got exact same problem in Ubuntu 12.10 when installed and logged into LXDE desktop manager.

#sudo apt-get install lxde

Before installing lxde all was ok.
And I use empathy only with google account.
Ubuntu 12.10 Amd64.