Hi Sjoerd, I've added Simon to the CC, since we already discussed this a bit in the context of #699103.
On Fri, Feb 07, 2014 at 09:33:33PM +0100, Sjoerd Simons wrote: > Package: libsofia-sip-ua0 > Version: 1.12.11+20110422.1-2 > Severity: normal > > While attempting to use the Debian SIP services with empathy i noticed > sofiasip > was failing to verify the SSL certificate. A bit of digging let me to > http://sourceforge.net/p/sofia-sip/feature-requests/26/ which was fixed in git > commit 241579dd1c5f0774eaeb8a06ca55067cbba999aa upstream. Ah, good spot! Thanks, I'd completely forgotten about that being in the outstanding set of patches I have. > Would be great if this patch could be included (or a newer git snapshot of > sofia could be packaged) Yeah, I've actually had that small stack of patches on my radar for a while now (since it also includes some patches that I got upstreamed), I've just been more than usually wary of pushing them to the distro without first carefully auditing them -- since they are all changes that happened in the last few days before Pessi abruptly sailed off into the sunset ... so if there are bugs they introduce, I can't really rely on the idea of someone else having spotted them in other testing already, and fixes having been pushed if they did. And I'd been doubly wary about that, precisely because there were changes to the TLS handling -- and this change in particular, went in just a week before Nokia restructured us out of having an upstream maintainer ... But if this fixes a real bug in rakia, that tips the equation somewhat :) Or at least the urgency of finding time to properly review them. We'd probably also want (at least) the commit right after that one too, 775dbbe762560e18b45b0e3d43aea991de2d4392 which tweaks the handling of the CERTIFICATE tag I discussed with Simon to accept ":" or "" as magic values that indicate the system certs should be used. So a small improvement is probably a combination of adding this support to sofia, and adding the NUTAG_CERTIFICATE_DIR tag to rakia, and then the user can decide whether they want to trust the system certs or only the ones they use for their comms link -- and they can then still use this without needing to write their own agent.pem into the system dir, and possibly more importantly, more than one user would be able to use it on the same system then! There's still probably a bit of directory acrobatics needed, but I don't think it's actually as bad as what we first thought when I discussed this with Simon. At least for the single user per machine case. For the multi-user case it still seems a bit ugly even with this patch applied to sofia (or perhaps especially with) -- since it still gives us no way to separate the user key location from the CA certs used for validation ... which seems like a bit of a design problem ... Did anything come out of considering how to hook this into Telepathy's infrastructure for configuring all of this? I think what I'd really like to see is some sort of laid out plan for how we think this really ought to work from a user's perspective, and then we can do whatever we need to, to make the code allow us to sensibly do that. Even this patch still feels like TLS is very much an after thought, done just enough to play with rather than actually use in anything larger than a single user embedded device. That might have been ok a few years ago, but it seems to fall a bit short of what is really needed today now ... Cheers, Ron -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
