blizzard4591 / openMittsu

An open source implementation and desktop client of the Threema Messenger App.
Other
175 stars 22 forks source link

Unable to add contacts (SSL handshake error) #55

Open PKizzle opened 4 years ago

PKizzle commented 4 years ago

I am running openMittsu (compiled from master branch using Homebrew) on macOS 10.15.3 Sadly it is not possible to add any contacts, because of an SSL handshake error seen in the attached picture. I downloaded all required certificates for Threema but I still receive this error message.

image
blizzard4591 commented 4 years ago

First off: The homebrew stuff works? Since I do not have access to a Mac, I "did some stuff" but never got any detailed feedback on whether it worked - I am surprised to say the least ;)

I just compile the latest version from scratch and tried adding a contact - for me it works. I checked all the certificates, they did not roll over recently and the CA is still the same. So - curious, I do not know what the problem is here. Stupid question: Could you try again (now that some time has passed)? Maybe it was an intermittent or spurious issue.

Waaaait. In the screenshot it says "IDENTITY" where the ID of your contact should be. Was this intentional or just for demonstration? The more interesting part is that even with "IDENTITY" I get a different error message, the server correctly states that this ID does not exist.

For this process openMittsu relies on OpenSSL, maybe there is an issue in this direction.

PKizzle commented 4 years ago

The homebrew stuff needs some adjustments to make it work ;)

I changed the ID to IDENTITY for demonstration purposes, so that I didn't have to give the web personal information about who my contacts are. This does not change the error message in any way.

Now to the SSL error: Apple has made its certificate policies more strict with macOS Catalina. Therefore all connection from iOS 13 or macOS 10.15 devices will throw an error message when trying to connect to api.threema.ch. I reached out to the Threema support to explain them the issue. They'll have to change the certificate that they are currently using.

For the time being macOS Catalina users can add the api.threema.ch certificate to keychain and manually trust it.

blizzard4591 commented 4 years ago

Did you receive any feedback? I would like to fix this issue, but I currently have no idea how to.

Additionally, the adjustments you made to homebrew - could you give me a summary of what you did?

PKizzle commented 4 years ago

I received a reply, that currently macOS is an unsupported platform and that they cannot offer me any support. However since this issue is related to the server certificate of https://api.threema.ch (and not macOS) I replied by further explaining the issue and am now waiting for a response.

If I find the time I'll create a list of necessary adjustments to successfully compile the project with homebrew.

davidfoerster commented 1 month ago

The same issue occurs on Arch Linux with OpenSSL 3.3.2. I'm still trying to add the server certificate to the trust store in a way that convinces openMittsu to trust api.threema.ch.

Bildschirmfoto vom 2024-10-13 15-11-44