Bug #1267

Allow adding certificates to trusted list

Added by Anonymous over 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:05/07/2013
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:v12 - March Mantra
Component:

Description

I have an XMPP server with a self-signed certificate. Currently (10-rc6 from F-Droid), my options are to not connect, or to not validated certificates. I understand in 0.11, I will be able to pin the certificate. I would prefer to be able to add my local CA certificate to the store used by gibberbot, or to have gibberbot use the system trusted store (/system/etc/security/cacerts.bks).

Why doesn't gibberbot use the system list? I've already replaced my list with the Guardian Project provided list, and injected my own local CA.

History

#1 Updated by n8fr8 over 4 years ago

  • Target version set to v12 - March Mantra

v11 (0.0.11-RC5) supports a pop-up dialog that allows you to "Yes/No/Always" trust any cert based on fingerprint.

You should switch to using our F-Droid repo instead of the default F-Droid one b/c they are a whole version behind:
https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/

We use our own set of cacerts that include things like CACert.org by default, and don't include known p0wn3e root CA Certs. We build it from the latest list of Debian approved Root CA's as well.

#2 Updated by ManoftheSea over 4 years ago

I'm digging for more information from you. I have updated to v11, though... Now I have the issue that even with "Cert validation" turned off, it gives me the pop-up for certificate pinning.
I do not want to pin the certificate, particularly not while I am unable to un-pin it. I want to use my (device-owner) trusted list, which happens to match yours for the most part. Is there a reason you don't trust the device master list? From an ideological standpoint, it seems it would be better to use the system list and point users at instructions for how to replace /system/etc/security/cacerts.bks with your better list. That way, all applications are protected from bad actors, and enterprise users can use their local CAs.

Otherwise, will you explain where on the system the Gibberbot *.bks is?

#3 Updated by n8fr8 over 4 years ago

  • Status changed from New to Resolved

We are no longer using a Gibberbot specific certificate list. We will either present a dialog for one-time verification, and/or have a few known popular services pinned.

We don't trust the system certs because many of our users are using the device in countries where the State run network operator is not to be trusted, but also may be part of the built-in CA Certs on the device.

#4 Updated by n8fr8 about 4 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF