Gajim - 2024-02-19

I'm suspecting my new bug report is a gtk issue

Yes, me too. But maybe there is a workaround. I'll try that later

Hi all, I asked over the weekend already on Mastodon, you (the Gajim account) recommended to ask here as well. I have my XMPP server managed by conversations.im. In order to verify the SSL cedrtificates I use "PKIX over Secure HTTP (POSH)". This is the easiest way because In don't have to care about certificate renewal. Unfortunatey POSH was dropped with the last rework of Gajim's network code. Are there any plans to bring it back? Do you have s short term solution how I could connect to my XMPP server with Gajim. When I setup the account Gajim ask me if I want to trust the "insceure" certificate. But even if I accept, Gajim still don't want to connect to my server and continues to show certificate errors.

My gajim version is 1.7.3 from Fedora

Record a debug log so we can see what's the problem

> Гаджимурад I didn't even know there is such a name. Can be interpreted as "glad for Gajim".

> Record a debug log so we can see what's the problem This is the debug log: https://wolke.schiessle.org/s/8f7r5DQ4nk76LTG (schiessle.org is the account with the problems)

lovetox, should I open a ticket in the issue tracker or does it make more sense for keep it in the chat?

I look at it in the evening

Enough here for now

How do I hide my ip from glowies using gajim

turn off your internet

bjoern, hm it prints additional an generic error, addtional to the unknown ca which Gajim can ignore

i guess you are on linux could you run gajim with GNUTLS_DEBUG_LEVEL=5 env var

and send again the debug log?

would be great if you could disable the other account for a moment

lovetox, I will do so... Give me a few minutes

amogus, good idea however I need the internet to work on my fork of templeOS

bjoern, you can also send me the log in private

lovetox, I added the log files here: https://wolke.schiessle.org/s/jcrDDj2GDSeqzWw (19022024-220405-debug-2.log is the new log from gajim, commandline.log contains the output on the terminal after starting gajim)

to late, but there shouldn't be any secrets

lvotox can you make it look just like muh heckin' discord

gnutls[1]: Got OCSP response with an unrelated certificate.

bjoern, you can delete the logs

uh oh bjoern the glowies are MITM you

its this ocsp stapling issue in gnutls we were not able to track down yet

the only solution we found is disabling ocsp stapling on your webserver

is oscp stapling the same as hsts?

no idea, type it into a search maschine

I changed my profile pic and it didn't change in this room

ill try logging in again

I only control the webserver which serves my webpage (well it is a shared hoster, so also no root access). The xmpp server is maintained by conversations.im and the certificates of the xmpp server are of course from conversations.im and not from schiessle.org

do you see me with no profile picture or?

bjoern, its not a problem of the xmpp server or the cert i think

its your webserver, the cert is for schiessle.org

and ocsp stapling works by querying the this domain, and it leads to your webserver

gnutls does not like the response, which is probably not your webservers fault, but its a open problem in gnutls

https://gitlab.com/gnutls/gnutls/-/issues/1372 for example

if you didnt enable ocsp stapling on your webserver for a specific reason, then disabling it is probably the easiest solution

or lets say the only one, because nothing else comes to mind what we can do apart from fixing the bug in gnutls

I can try, but not sure if my shared hoster (uberspace.de) allows me to do so. The other solution as I understand it is, if Gajim would add again support for POSH. Conversations which, supports posh can connect to the xmpp server just fine

conversations does not use gnutls

i bet many clients can connect to your server just fine (with ignoring the unknown CA)

POSH just solves the unknown CA

its basically i receive the cert from the xmpp server and when it throws unknown CA, i query the posh url and compare a fingerprint

then i know this is a correct cert for your domain, but checking the CA is just one verifying step, gnutls does also verify ocsp stapling

and then it will fail

POSH allows you to not see the warning dialog and manually trust the cert

im not against implementing this again, but it will not solve this problem here

Thanks for explaining. I assume that all Linux clients will use gnutls. I already tried Dino which also fails to connect. Unfortunately I couldn't find a way to disable OCSP so far on uberspace. But I will continue to search for a option

i mean depending on how desperate you are, if you are the only user with Gajim on your server, i could point you to the code line where you can ignore the cert error

as Gajim is python, you can easily change it

This would be at least a quick fix for now :-)

what nbxmpp version do you have installed?

version 4.3.1

search the file gajim/common/client.py

``` --- a/gajim/common/client.py +++ b/gajim/common/client.py @@ -165,6 +165,7 @@ def _create_client(self) -> None: self._client.set_username(self._user) self._client.set_resource(get_resource(self._account)) self._client.set_http_session(create_http_session()) + self._client.set_ignore_tls_errors(True) self._client.subscribe('resume-failed', self._on_resume_failed) self._client.subscribe('resume-successful', self._on_resume_successful) ```

around line 168

lovetox, works. I could connect to the XMPP server! Thanks a lot!

👍️