#824 Green Servers

unspecified
invalid
nobody
Mumble (544)
unspecified
5
2013-12-16
2011-09-02
ozon
No

Mumble shows the server as untrustworthy to me when I use my cacert certificate (no green line behind the Servername). But if I use the self-generated certificate of Mumble, the server is trustworthy (green line on Server name/root) . Look on the attached image - both cleints run on the same machiene and connected to the same server.

Why the validity of the server certificate from the client certificate is dependent?

Discussion

  • ozon
    ozon
    2011-09-02

    screenshoth

     
  • fwaggle
    fwaggle
    2011-09-02

    Is CACert's root cert in your OS's certificate store, or just your browser's?

    To be clear, when you change your cert you're talking about the client cert right? It's most likely because OpenSSL, as part of the specs, has to validate it's own certificate too (the server has this problem occasionally when it's speaking TLS to the registration server) - every part of the transaction has to check out.

    That wasn't how it was for a while in OpenSSL - they violated the specs, so they "fixed" it, which caused us no shortage of grief, and I suspect is what's behind your issues as well.

    If you only have CACert's root certificate in your browser, and not in the OS itself (I believe Mumble will use the OS's certificate store) then that's probably why.

    HTH

     
  • ozon
    ozon
    2011-09-02

    Yes, i mean the client side.

    My mistake. I have imported the root certs/keys from cacert to the OS certifcate store and now is the server "green".

    I had forgotten that deliver only some Linux distributions of the root Certificates cacert.

    But from a user perspective it is very confusing. Most users Mumble is not interested, but certificat stuff is not really useful. Especially in the consumer sector are unwieldy and certificates not be checked by users.

    Whatever. Problem is solved, and lay with me. Thank you for your remarks.

     
  • ozon
    ozon
    2011-09-02

    Another thought so. So we can say that the server certificate to mumble only be trusted (green) is when the client Certificat is valid?

     
  • fwaggle
    fwaggle
    2011-09-02

    Yeah - it's not Mumble's doing, it's an SSL thing - apparently you violate the specs if you don't verify the entire transaction is valid (which includes the client's certificates, if present).

    It caused us all manner of grief when they made that change, because OpenSSL/QSslSocket don't report anything more useful than "Certificate could not be verified", so we spent ages trying to work out why the server's cert was coming up no good, when it was actually the client's cert causing the failure. The auto-generated certs are self-signed, and I believe things are set up so that the self-signed certs are loaded in as an authority, so that's why they don't break.

    It's not the greatest from a usability standpoint, but I don't know if there's an easy way to fix it or not.

     
  • Kissaki
    Kissaki
    2013-12-16

    • status: pending --> invalid
    • Version: --> unspecified
    • Targeted Release: --> unspecified