Psi Jabber Client

See this page for instructions on how to use Flyspray: http://psi-im.org/wiki/Flyspray

Please Note!

Please do not create tasks here without discussing your bug or feature request on the forums or groupchat psi@conference.psi-im.org, *and* getting explicit confirmation by a developer to add it to flyspray.
Tasklist

FS#111 - Add always accept this certificate option

Attached to Project: Psi Jabber Client
Opened by Hal Rottenberg (halr9000) - Tuesday, 29 July 2003, 11:14 GMT-4
Last edited by Kevin Smith (kev) - Tuesday, 30 October 2007, 08:56 GMT-4
Task Type TODO
Category Account Setup
Status New
Assigned To No-one
Operating System All
Severity High
Priority Nice to Have
Reported Version 0.9
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

http://psi.affinix.com/forums/index.php?act=ST&f=4&t=765

Everytime you connect to a jabber-server using SSL, and that server has a self-signed certificate, you have to click "accept." I think it should have an "Always accept this certificate" checkbox.
This task depends upon

Comment by Nolan Eakins (sneakin) - Saturday, 16 October 2004, 04:15 GMT-4
Accounts already have an "Ignore SSL warnings" option. A checkbox only needs to be added to the message box that stores its value in the account's already existing variable.
Comment by Mariusz S (marian) - Tuesday, 02 November 2004, 14:56 GMT-4
From RFC 3920#14.2. Certificate Validation

"Case #3: The peer certificate is self-signed."
....
"2. The peer SHOULD show the certificate to a user for approval,
including the entire certificate chain. The peer MUST cache the
certificate (or some non-forgeable representation such as a
hash). In future connections, the peer MUST verify that the same
certificate was presented and MUST notify the user if it has
changed.
In Case #2 and Case #3, implementations SHOULD act as in (2) above."

This should be done, like cert in Psi, new must be accepted and is cached.
Comment by duryodhan (duryodhan) - Thursday, 19 April 2007, 02:17 GMT-4
IMHO,
Ignore SSL warning will ignore all SSL warnings. Whereas with accept this certificate should mean that the present cert must be saved to ~/certs. So if next time the cert changes then it will again give an error. I dont think Ignore all SSL warnings is what halr9000 was looking for when he added this.
Comment by Hal Rottenberg (halr9000) - Thursday, 19 April 2007, 08:20 GMT-4
Yup, that's the idea.
Comment by Jesse Thompson (zjt) - Wednesday, 30 January 2008, 09:00 GMT-4
Is there a documented manual way for users to import the certificate?
Comment by Jesse Thompson (zjt) - Tuesday, 12 February 2008, 10:15 GMT-4
There also needs to be a way for a user to be asked if Psi should trust a ca-signed certificate that does not match the domain. iChat and Adium do this well.

Telling the client to ignore all SSL warnings increases the risk of MITM attacks, so it's a very poor solution to the problem.

Loading...