[jitsi-dev] Feature request: save server certificates


#1

Hi guys,

I am not a Java programmer, so I thought I would ask if someone would
like to implement a feature in Jitsi:

saving/comparing server SSL certificates.

Some of the servers I am using (e.g. jabber.ccc.de) use their own CA for
their server certificates.
As I have not incorporated their certificate (which would mean full
trust for everything they would sign),
everytime I connect to the server, I get the "verify certificate" popup.

It would be nice to have an "accept always" choice, and only get
informed if the accepted (and saved) certificate changes.

And this feature (optionally) could also give a warning where the
certificate changes when its from a "trusted" CA would be nice for some
paranoid users I guess.

Thanks!

Greets,
vh


#2

Hey,

when you see the certificate warning you can than click "Show certificate"
and then there is an option "Always trust this certificate".
Hope this helps.

Cheers
damencho

···

On Tue, Jun 25, 2013 at 12:14 PM, van Hauser <vh@thc.org> wrote:

Hi guys,

I am not a Java programmer, so I thought I would ask if someone would
like to implement a feature in Jitsi:

saving/comparing server SSL certificates.

Some of the servers I am using (e.g. jabber.ccc.de) use their own CA for
their server certificates.
As I have not incorporated their certificate (which would mean full
trust for everything they would sign),
everytime I connect to the server, I get the "verify certificate" popup.

It would be nice to have an "accept always" choice, and only get
informed if the accepted (and saved) certificate changes.

And this feature (optionally) could also give a warning where the
certificate changes when its from a "trusted" CA would be nice for some
paranoid users I guess.

Thanks!

Greets,
vh

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

Hi,

so, the feature is already there, however a bit hidden :slight_smile:
thanks for pointing this out!

Still, a configurable feature which saves the certificate even if from a
trusted CA, and reports on changes might be an interesting features for
some.

Thanks for making Jitsi a great client!

Greets,
vh

···

On 25.06.2013 11:22, Damian Minkov wrote:

Hey,

when you see the certificate warning you can than click "Show
certificate" and then there is an option "Always trust this certificate".
Hope this helps.

Cheers
damencho

On Tue, Jun 25, 2013 at 12:14 PM, van Hauser <vh@thc.org > <mailto:vh@thc.org>> wrote:

    Hi guys,

    I am not a Java programmer, so I thought I would ask if someone would
    like to implement a feature in Jitsi:

    saving/comparing server SSL certificates.

    Some of the servers I am using (e.g. jabber.ccc.de
    <http://jabber.ccc.de>) use their own CA for
    their server certificates.
    As I have not incorporated their certificate (which would mean full
    trust for everything they would sign),
    everytime I connect to the server, I get the "verify certificate" popup.

    It would be nice to have an "accept always" choice, and only get
    informed if the accepted (and saved) certificate changes.

    And this feature (optionally) could also give a warning where the
    certificate changes when its from a "trusted" CA would be nice for some
    paranoid users I guess.

    Thanks!

    Greets,
    vh

    _______________________________________________
    dev mailing list
    dev@jitsi.org <mailto:dev@jitsi.org>
    Unsubscribe instructions and other list options:
    http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#4

so, the feature is already there, however a bit hidden :slight_smile:
thanks for pointing this out!

What's the point of permanently acknowledging a certificate if you haven't
inspected it before?

Still, a configurable feature which saves the certificate even if from a
trusted CA, and reports on changes might be an interesting features for
some.

Yes, you can open a feature request in our issue tracker for this. However I
won't be able to work on that anytime soon.

Thanks for making Jitsi a great client!

Thanks for the kind words!

Greets,
vh

Ingo


#5

Wait a sec. I don't understand the feature request. We already save the
cert when the user requires it and we already report on changes. Could you
please expand on exactly what is being asked here?

···

On Jun 25, 2013 1:36 PM, "Ingo Bauersachs" <ingo@jitsi.org> wrote:

> Still, a configurable feature which saves the certificate even if from
> a trusted CA, and reports on changes might be an interesting
> features for some.

Yes, you can open a feature request in our issue tracker for this.
However I won't be able to work on that anytime soon.


#6

Still, a configurable feature which saves the certificate even if from
> a trusted CA, and reports on changes might be an interesting
features for some.

Yes, you can open a feature request in our issue tracker for this.
However I won't be able to work on that anytime soon.

Wait a sec. I don't understand the feature request. We already save the

cert

when the user requires it and we already report on changes. Could you

please

expand on exactly what is being asked here?

Certificate pinning. Just like what e.g. Google does: only trusting certain
CAs/certs for a given domain - even if another CA would generally be
trusted.

Ingo

···

On Jun 25, 2013 1:36 PM, "Ingo Bauersachs" <ingo@jitsi.org> wrote: