SSL Certificates (QCA1)

From PsiWiki


Contents

[edit]

Background

Psi, up to and including v0.10, uses a cryptographic library called QCA1. Among other things, this library is used when connecting to a Jabber server over an SSL encrypted link. This works fine when the Jabber server has a certificate which was published by one of the "popular" root CAs(Certificate Authorities) that your Operating System already "trusts". However in most cases (see CACert for an exception) this costs money. Also it may not make sense to bother purchasing a certificate that has been signed by root CA if your server will not be accessed by anyone outside of your company's LAN.

[edit]

The Problem

In theory, a smart hacker could create their own certificate, pretend it belongs to your bank, then spy on your internet connction and find out your password. When you use Psi to connect to a server that has what is called a "self-signed" certificate, Psi will popup a warning to this effect. This is intentional and important. It tells you that you may not wish to trust the encryption to this server, as no third-party has independently verified that this certificate belongs to this person or company. In a situation where you are connecting to a Jabber server that your company has setup for the employees to use, this error message is misleading and confusing to the end users.

[edit]

The rootcert.xml File

The rootcert.xml file can be in a subfolder called certs in one of two places:

  1. In the Psi program folder (e.g. /usr/share/psi/certs or c:\program files\psi\certs)
  2. In your $psidata/certs folder (e.g. ~/.psi/certs or c:\documents and settings\hal\psidata\certs)

Psi ships with a rootcert.xml file that contains a default list of trusted certificates. This list of trusted root CAs is the same that Microsoft uses for Windows XP.

The format is simple, there is one <store> element in each file, with any number of <certificate> child elements. In each certificate, there is a <data> tag to contain the certificate data. 

 <store>
   <certificate>
     <data>Lots of nice data here</data>
   </certificate>
   <certificate>
     <data>Data of another cert</data>
   </certificate>
   ...
 </store>

The data is DER+Base64 format, which is basically PEM but without the header, footer, or newlines.

[edit]

Manual Process

  1. acquire openssl executable (for Windows look here)
  2. openssl s_client -connect server:5223
  3. cut & paste text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into <data> tag
  4. remove newlines within <data> tag (in fact newlines can stay. Make sure that no spaces exists

inside <data>MII...TDNqA==</data>, but newlines are okay. At least with Psi 0.10)


TODO:

  • Need to refer to the add_psi_cert.sh bash script and explain how to use it.
  • Would be nice if we had a cross platform tool for this.
Retrieved from "http://psi-im.org/wiki/SSL_Certificates_%28QCA1%29"