Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
gajim
gajim
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 202
    • Issues 202
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 22
    • Merge Requests 22
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • gajim
  • gajimgajim
  • Issues
  • #10045

Closed
Open
Opened Apr 02, 2020 by Eugene Crosser@crosser

SSL server validation ignores system-wide installed CAs

Since a while ago, server certificate validation started to fail in the nightly build. I use private CA, and CA certificate is installed system-wide (placed in /etc/ssl/certs and c_rehash'ed). openssl s_client -verify 1 -host ... -port ... succeeds with "Verification: OK". However gajim insists that certificate is signed by an unknown CA.

  • While opening XMPP connection, it offers to accept "untrusted" server certificate and then works
  • httpupload over aesgcm/https does not work at all:
02/04/20 10:45:33 (I) gajim.p.omemo.filedecryption|       Start downloading: https://average.org:9443/0aaa8f2ecdc342cdea76820e6eba57e0884fd630/5Q7yPp7QsTc0blwTog5RuJwkABmYOOPX0VYmxrLq/FrdvSlyBQX-EjGTtfnUErQ.jpg
02/04/20 10:45:33 (W) gajim.p.omemo.filedecryption|       Download failed: https://average.org:9443/0aaa8f2ecdc342cdea76820e6eba57e0884fd630/5Q7yPp7QsTc0blwTog5RuJwkABmYOOPX0VYmxrLq/FrdvSlyBQX-EjGTtfnUErQ.jpg
02/04/20 10:45:33 (W) gajim.p.omemo.filedecryption|       SSL handshake failed

I believe that gajim should either honour system-wide set of trusted CAs, or, if it insists on using using a private set of CAs, allow adding new CAs to that set. The first option is preferable, in my opinion.

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: gajim/gajim#10045