On Mon, Jan 5, 2015 at 7:28 AM, Diane Trout <[email protected]> wrote: > I discovered a non-obvious solution to a TLS issue when trying to connect > to a > SIP proxy. > > The Accounts tab just kept reporting connection failed without giving any > useful feedback why. I recently discovered how to get debugging messages > from: > > org.freedesktop.Telepathy.Connection.sofiasip.sip.<account> > /org/freedesktop/Telepathy/debug > org.freedesktop.Telepathy.Debug.GetMessages > > That reported a detailed error message about failing to validate the > certificate chain. > > I was confused as I was using a real (StartCom) certificate whose root > certificate is available in both /etc/ssl/certs and KDE System Settings > > SSL > Preferences. > > I then discovered buried in the NEWS for telepathy-rakia: > > - Verify the validity of TLS certificates presented by SIP connection > peers. > This change is disruptive: it relies on root CA certificates being > available > to sofia-sip in the default verification path ``~/.sip/auth`` or file > ``~/.sip/auth/cafile.pem``, or sofia-sip changed to use OpenSSL library > defaults for verification path (sf.net #3306245). > The connection parameter "ignore-tls-errors" is added to disable > verification. > > Once I stuck the root certificate in ~/.sip/auth/cafile.pem it could > connect, > however that's a whole host of user unfriendly problems there. > > Thanks for looking into this.
> 1) ktp should give a better error message preferably about why the > certificate > is invalid 2) the "ignore-tls-errors" setting should be made visible in the advanced > account configuration dialog in kde-telepathy > At least this one should be easy to do. If you don't have time to add this yourself could you add a bug report so it's not forgotten. > 3) there really should be some way of either setting the certificate via > dbus, > or at least some method to help the user put the root certificate in the > right > spot. > > (At the very least posting this should hopefully make the work-around > available to search engines). > > Diane > _______________________________________________ > KDE-Telepathy mailing list > [email protected] > https://mail.kde.org/mailman/listinfo/kde-telepathy >
_______________________________________________ KDE-Telepathy mailing list [email protected] https://mail.kde.org/mailman/listinfo/kde-telepathy
