TOR: Allow self-signed certs for http upload on .onion/.i2p domains
Now gajim allows plain next and self-signed for xmpp, BUT doesn't allow to send files via http upload neither with self-signed certificates nor with http plain text.
To support sending files to an xmpp server configured as a hidden service in anonymous networks such as tor and i2p we need a setting that would allow to use self-signed certificates
This setting must turn off certificate validation for all child subdomains: *.onion *.i2p (xyz.onion, upload.xyz.onion, a.b.c.d.onion, something.b32.i2p and etc). this should work for both file transfers and previews
-
i think the best solution could be a setting that would globally disable certificate check for any domain. this setting is insecure if we use in the same gajim profile accounts in both hidden service and clearnet at the same time. but this problem can be solved by using different profiles with different settings - one with certificate check for normal servers, one without certificate check for servers configured as a hidden service. the global setting is good because it is universal and not tied to a pseudodomain of specific anon network (onion/TOR, b32.i2p/I2P, may be not so popular now loki/Lokinet https://github.com/oxen-io/lokinet and etc.)
-
Another solution would be a setting that allows the user to choose for which domains certificates can be ignored (somethink like "disable_ssl_validation = *.onion, *.i2p"). A setting that is hardcoded to "onion" only will be non-universal. there are at least two pseudo-domains which are currently relevant: onion and i2p, but what if we need to configure a server in another anonymous network in the future?
-
self-signed vs http plain using plain text is more logical because the encryption is provided by tor. but I don't know how other clients like conversations will respond to http (no ssl) file links - maybe they can only work with self-signed http certificates (I haven't checked it yet)