During GUADEC, I of course wanted to use my N900. But since the PR1.2 update, the Jabber client wouldn’t connect to the server anymore, because OpenSSL doesn’t honor imported CAs. So the only option to make it connect is to ignore SSL errors. But as I’m naturally paranoid, I didn’t dare to connect… It’s a nerdy conference with a lot of hackers after all.
Fortunately, I had all those nice Collaborans next to me and I could ask loads of (stupid?) questions. Turns out, that the Jabber client (telepathy-gabble) on the N900 is a bit old and uses loudmouth and not wocky.
So I brought my SDK back to life (jeez, it’s very inconvenient to do stuff with that scratchbox setup 🙁 ) and I was surprised that apt-get source libloudmouth1-0 was sufficient to get the code. And apt-get build-dep libloudmouth1-0 && dpkg-buildpackage -rfakeroot
built the package. Almost easy (I had to fix loads of dependency issue but it then worked out).
As neither I nor the Collaborans knew how to integrate with the Certificate Manager, I just wanted to make OpenSSL aware of the root CA which I intended to drop somewhere in ~/.certs
or so.
After a couple of busy conference days I found out that code which implements the desired functionality already exists but was commented out. So I adapted that and now loudmouth imports certificates from /home/user/.config/telepathy/trusted-cas.pem
or /home/user/.config/telepathy/certs
/home/user/.maemosec-certs/ssl-ca
before it connects. The former is just a file with all root CAs being PEM encoded. The latter is a directory where you have to put PEM or DER encoded certs into and then run c_rehash .
in it the certificate manager puts the certificates in after you’ve imported it. Because just loading any .pem
or .der
file would have been to easy to work with. It was hard for me to understand OpenSSL’s API. This article helped me a bit though, so you might find it useful, too.
So if you want your jabber client on the N900 to connect to a SSL/TLS secured server that uses a root CA that is not in the built in certificate store, grab the .deb
here. You can, of course, get the source as well.
Turns out, that there is a workaround mentioned in bug 9355 hence you might consider it to be easier to modify system files yourself instead of letting the package manager do it.
Bottom line being that it’s wonderful to be allowed to study the code. It’s wonderful to be allowed fix stuff. And it’s wonderful to be allowed to redistribute the software. Even with my own modifications. And that it will be that way for the lifetime of that piece of software. I do love Free Software.