Linphone does not offer acceptance of unknown TLS certificate (Bounty)

BelledonneCommunications / linphone-android

Linphone.org mirror for linphone-android (https://gitlab.linphone.org/BC/public/linphone-android)

https://linphone.org

GNU General Public License v3.0

1.13k stars 691 forks source link

Linphone does not offer acceptance of unknown TLS certificate (Bounty) #947

Open kobaz opened 4 years ago

kobaz commented 4 years ago

Will pay a reasonable bounty to fix:

SIP Server utilizes self-signed certificate or other 'unrecognized certificate' like LetsEncrypt
Linphone attempts TLS connection to server
Linphone fails to register

Bounty payable when this is available in the downloadable app via Google Play Store

Expected Behavior: 1- Warn user about unrecognized certificate 2- User is able to accept and trust certificate and connect 3-Warn user if remote certificate changes in the future, and proceed to step 1

Bonus: Ability to include trusted certificates in remote provision xml file

Viish commented 4 years ago

Hi, If this is something you really need, you can contact our sales department (sales@belledonne-communications.com) and we'll send you a quotation. Cheers,

sercangoger commented 2 years ago

@Viish hello, can you contact me via this e-mail? I have problem with TLS. but no one responds to the issues on the flexisip side. can you help? sercan.goger@gmail.com

Viish commented 2 years ago

Hi @sercan447, sorry but I don't do direct email support. If you can't wait for someone to take a look at the issues on github, you can contact our company for a quotation for a support or a dev-assist contract.

mwarning commented 1 year ago

Hi, I have implemented such stuff here for a different App: https://github.com/mwarning/trigger/blob/master/app/src/main/kotlin/app/trigger/https/HttpsRequestHandler.kt#L48

There are settings to

use custom server / client certificate
Ignore Certificate Validity
Disable Certificate Hostname Check (if the hostname does not match, e.g. when IP addresses are used)
Disable Certificate Date Check (if the cert is expired)

Take what you need. The licenses are compatible anyway.

intellasoft commented 1 year ago

Oh wow. Spectacular.

This would be create to create a PR for. Linphone mainline is definitely lacking this sort of thing.

waleedtalha commented 9 months ago

You can just add this check verify_server_certs = 0 in linphonerc_default file that will be in assets of linphone project. This check will disable the certificate verification on client side and then TLS will be configured. Now the certificate verifcation will only be on server side.

kobaz commented 8 months ago

The problem with this is now you're completely ignoring any kind of verification. And if the server certificate changes suddenly, the client will have no idea.

Ad-hoc per-certificate allow is the preferred method across the board. (Web browsers do this)

fhsiao commented 1 day ago

You can just add this check verify_server_certs = 0 in linphonerc_default file that will be in assets of linphone project. This check will disable the certificate verification on client side and then TLS will be configured. Now the certificate verifcation will only be on server side.

Is it expected to work for android version linphone installed from the play store by providing a remote configuration file named as linephonerc_default such as http://192.168.1.2/linphonerc_default? It does not work for me at this point. Maybe something else needs to be provided such as HTTPS with a bundle cert that linphone accepts or a different file name?

Thank you!!